This step type creates a risk evaluation in PingOne.

Step properties used with flow definitions

Configuration schema property Description
riskPolicySet.id A string that specifies the risk policy set to use for risk evaluation.
useDefaultPolicy A boolean that specifies whether to use the environment’s default policy set for the risk evaluation. If this property is set to false, a risk policy set ID must be specified in the riskPolicySet.id property.
profileDevice A boolean that specifies whether the device will be profiled during the step execution. If the value of this property is set to true, the step prompts for a device profile action.
Input property Description
riskEvaluation.event.targetResource.id A string that specifies the ID of the target application, which is the application the user attempts to access.
riskEvaluation.event.targetResource.name A string that specifies the name of the target application, which is the application the user attempts to access. The riskEvaluation.event.targetResource is an optional property, but if the riskEvaluation.event.targetResource.name property is specified, then the riskEvaluation.event.targetResource.id property must also be specified.
riskEvaluation.event.ip A string that specifies the origin IP address. This is a required property.
riskEvaluation.event.flow.type A string that specifies the flow type. The default value is AUTHENTICATION.
riskEvaluation.event.user.name A string that specifies the name of the user associated with the risk evaluation.
riskEvaluation.event.user.type A string that specifies the type of user associated with the risk evaluation. Options are EXTERNAL and PING_ONE. This is a required property.
riskEvaluation.event.user.id A string that specifies the user ID associated with the risk evaluation. If the user type is PING_ONE, the user name is filled automatically according to the user ID. If the user does not exist in PING ONE, the step produces an error. If the user type is EXTERNAL, the user name should be added so that it displays in the dashboards; if the user name is not provided, the user ID is shown. This is a required property.
riskEvaluation.event.sharingType A string that specifies associated device sharing type. Options are UNSPECIFIED, SHARED, and PRIVATE.
riskEvaluation.event.browser.userAgent A string that specifies the user agent of the browser that triggered the flow. The placeholder, ${flow.inputs.headers.user-agent}, is recommended for browser-based flows.
riskEvaluation.event.origin A string that specifies the calling service.

The step returns the risk level of the transaction, which can be evaluated as HIGH, MEDIUM, or LOW. The following properties are returned for the HIGH, MEDIUM, or LOW risk levels.

The following properties are always returned in the risk evaluation.

Output property Description
riskEvaluation.id A string that specifies the ID of risk evaluation.
riskEvaluation.riskPolicySet.id A string that specifies the ID of risk policy set used for risk evaluation.
riskEvaluation.riskPolicySet.name A string that specifies the name of risk policy set used for risk evaluation.
riskEvaluation.result.value A string that specifies the risk result custom value.
riskEvaluation.details.ipAddressReputation An object that specifies the risk associated with IP address reputation.
riskEvaluation.details.ipAddressReputation.score An integer that specifies the risk associated with IP address reputation, expressed as a number between 0 and 100.
riskEvaluation.details.ipAddressReputation.level A string that specifies the risk level associated with IP address reputation. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.anonymousNetworkDetected A boolean that specifies whether the IP is associated with an anonymous network.
riskEvaluation.details.country A string that specifies the country where the flow originated, according to the IP address.
riskEvaluation.details.impossibleTravel A boolean that specifies whether the velocity required to move between the user’s previous successful location to its current inferred location is too large.

The following properties are returned in the risk evaluation only for environments with data consent enabled.

Output property Description
riskEvaluation.details.ipVelocityByUser.level A string that specifies the risk associated with IP velocity by user. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.ipVelocityByUser.reason A string that specifies the reason for the risk associated with IP velocity by user.
riskEvaluation.details.ipVelocityByUser.threshold An object that provides information about the threshold used to determine the IP velocity level.
riskEvaluation.details.ipVelocityByUser.threshold.source A string that specifies the source used to calculate the threshold.
riskEvaluation.details.ipVelocityByUser.threshold.high A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having HIGH IP velocity.
riskEvaluation.details.ipVelocityByUser.threshold.medium A number that specifies whether the user accessed more than this number of IPs during the past hour. If so, the user is flagged as having MEDIUM IP velocity.
riskEvaluation.details.ipVelocityByUser.threshold.calculatedAt A string that specifies date and time at which the threshold was calculated.
riskEvaluation.details.ipVelocityByUser.threshold.expiresAt A string that specifies date and time at which the threshold will expire and be re-calculated.
riskEvaluation.details.ipVelocityByUser.velocity.distinctCount An integer that specifies the distinct count of IPs accessed by the user in the previous seconds specified by the during property.
riskEvaluation.details.ipVelocityByUser.velocity.during An integer that specifies the number of seconds to use in determining the distinctCount value.
riskEvaluation.details.userVelocityByIp.level A string that specifies the risk associated with user velocity by IP. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userVelocityByIp.reason A string that specifies the reason for the risk associated with user velocity by IP.
riskEvaluation.details.userVelocityByIp.threshold An object that provides information about the threshold used to determine the user velocity level.
riskEvaluation.details.userVelocityByIp.threshold.high A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having HIGH user velocity.
riskEvaluation.details.userVelocityByIp.threshold.medium A number that specifies whether the IP was accessed by more than this number of users during the past hour. If so, it is flagged as having MEDIUM user velocity.
riskEvaluation.details.userVelocityByIp.threshold.calculatedAt A string that specifies date and time at which the threshold was calculated.
riskEvaluation.details.userVelocityByIp.threshold.expiresAt A string that specifies date and time at which the threshold will expire and be re-calculated.
riskEvaluation.details.userVelocityByIp.velocity.distinctCount An integer that specifies the distinct count of users that accessed the IP in the previous seconds specified by the during property.
riskEvaluation.details.userVelocityByIp.velocity.during An integer that specifies the number of seconds to use in determining the distinctCount value.
riskEvaluation.details.userRiskBehavior.level A string that specifies the risk associated with user risk behavior. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userRiskBehavior.reason A string that specifies the reason for the risk associated with user risk behavior.
riskEvaluation.details.userBasedRiskBehavior.level A string that specifies the risk associated with user-based risk behavior. Options are HIGH, MEDIUM, or LOW.
riskEvaluation.details.userBasedRiskBehavior.reason A string that specifies the reason for the risk associated with user-based risk behavior.

Step properties used with flow executions

Flow state Description
PROFILE_DEVICE A flow status that prompts for a device profile action. The action is initiated only if the value of the profileDevice configuration property is set to true.
Links Description
profile.device The link to initiate an action to set the device profile. The action must provide a value for the browserFingerprint property and specify application/vnd.pingidentity.device.profile+json as the custom content type.
Parameters Description
browserFingerprint An object that specifies the browser fingerprint attributes.