PingGateway 2024.6

PingOneProtectEvaluationFilter

Passes data to PingOne Protect and gets a risk evaluation for an incoming request.

The PingOneProtectEvaluationFilter is available in Technology preview. It isn’t yet supported, may be functionally incomplete, and is subject to change without notice.

PingGateway makes a risk evaluation request to PingOne Protect. The PingOne Protect response returns a risk evaluation including the following items PingGateway retains in the evaluation context:

  • Risk level (LOW, MEDIUM, or HIGH)

  • Risk score, a single aggregated numerical value

The PingOneProtectEvaluationFilter records the evaluation in a PingOneProtectEvaluationContext object. Configure a PingOneProtectThreatLevelRoutingHandler to act on the risk level set in the context. As an alternative, use a DispatchHandler to act on the risk score.

Usage

{
  "name": string,
  "type": "PingOneProtectEvaluationFilter",
    "config": {
      "evaluationEndpoint": configuration expression<url>,
      "endpointHandler": Handler reference,
      "failureHandler": Handler reference,
      "userId": runtime expression<string>,
      "policySet": configuration expression<string>,
      "lowRiskEvaluationThrottlePeriod": configuration expression<duration>,
      "nonEvaluatedUrls": configuration expression<boolean>
  }
}

Configuration

"evaluationEndpoint": configuration expression<url>, required

The PingOne Protect evaluation endpoint URI.

"endpointHandler": Handler reference, optional

The handler to make requests to the evaluationEndpoint.

Default: ForgeRockClientHandler

"failureHandler": Handler reference, optional

The handler to make requests to the evaluationEndpoint.

Default: Return an HTTP 403 Forbidden response; if the request to the evaluationEndpoint fails, PingGateway denies access by default.

"userId": runtime expression<string>, optional

An expression setting the user identifier, if available; for example, if the user has already authenticated in the route.

PingGateway raises an error if the expression resolves to null.

Default: A UUID that remains the same for the lifetime of the session

"policySet": configuration expression<string>, optional

The PingOne Protect policy set to use.

Default: The default policy set for the evaluation service

"lowRiskEvaluationThrottlePeriod": configuration expression<duration>, optional

When PingOne Protect returns a low risk level for an incoming request, PingGateway waits until this period expires before making another risk evaluation request for the same session.

Set this to zero to make a risk evaluation request for every incoming request.

Default: 2 minutes

"nonEvaluatedUrls": configuration expression<boolean>, optional

A boolean conditional expression matching request URLs to exclude from risk evaluation.

Default: false (evaluate risk for all request URLs)

Example

The following example prepares PingGateway to make requests to PingOne Protect for risk evaluation. It doesn’t request risk evaluation for CDSSO redirect requests to /home/cdsso/redirect. The route properties envHost and envId and the policy set identifier depend on your PingOne Protect deployment:

{
    "name" : "PingOneProtectEvaluationFilter-1",
    "type" : "PingOneProtectEvaluationFilter",
    "config" : {
      "evaluationEndpoint" : "https://&{envHost}/v1/environments/&{envId}/riskEvaluations",
      "evaluationEndpointHandler" : "EvaluationEndpointHandler",
      "policySet": "47447388-fa5a-40f7-b3f1-24fbbbbc30",
      "userId" : "${contexts.cdsso.claimsSet.subject}",
      "nonEvaluatedUrls" : "${find(request.uri.path, '/home/cdsso/redirect')}"
    }
}
Copyright © 2010-2024 ForgeRock, all rights reserved.