Add a Third-Party Risk Provider

You can add a risk provider to Oracle Identity Cloud Service that can be used to obtain a user’s risk score from the Symantec third-party risk engine. This risk score provides additional intelligence on the user’s behavior across heterogeneous systems with which Oracle Identity Cloud Service isn’t directly involved. Administrators can then use this third-party risk score with Oracle Identity Cloud Service sign-on policies to enforce a remediation action, such as allowing or denying the user from accessing Oracle Identity Cloud Service and its protected applications and resources, requiring the user to provide a second factor to authenticate into Oracle Identity Cloud Service, and so on.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Adaptive Security. The Adaptive Security page appears.


    In the Adaptive Security page, Oracle Identity Cloud Service provides you with a default risk provider which can’t be deleted. See Configuring the Default Risk Provider for more information about this risk provider.
  2. Click Add. The New Risk Provider page appears.
  3. Use the following table to populate the Details pane of the New Risk Provider page:
    Field Description
    Company Select the vendor of the risk provider solution.
    Name Enter the name of the risk provider.
    Description Provide a brief description of the risk provider.
    Endpoint Configuration URL Enter the risk provider URL that Oracle Identity Cloud Service can use to reach out to obtain the user's risk score.
    Authentication Type

    This menu contains two methods that Oracle Identity Cloud Service uses to authenticate against the risk provider: BASIC and TOKEN.

    If you select BASIC, then the User Name and Password fields appear. Enter the user name and password that Oracle Identity Cloud Service will use to authenticate against the risk provider.

    If you select TOKEN, then the Scheme and Token fields appear. Enter the name of the authentication scheme and the authentication token that Oracle Identity Cloud Service will use to pass a user's credentials to the risk provider.

    User Identifier Select the unique identifier for user accounts that Oracle Identity Cloud Service will use to link the user in the risk provider. This identifier can be either the user name or the primary email address.
    Refresh Rate Specify how often (in minutes or hours) Oracle Identity Cloud Service will make a call to the risk provider to check for refreshed scores.
  4. To check whether the risk provider information is correct, click Validate.
    Verify that you see the The connection to the {risk_provider_name} risk provider has been validated. message.


    If you receive an error message, then check the values you entered or selected for the Endpoint Configuration URL and Authentication Type fields.
  5. In the Risk Range pane of the Add Risk Provider page, the risk levels configured in the risk provider will be shown automatically, if the provider supports an API to get this information. If the API is not available, then the administrator can specify the risk ranges manually, as configured in the risk provider. This is just to provide a reference to the configured risk ranges in the risk provider and has no significance in the risk calculations.
  6. Click Save. The risk provider is added and saved with a deactivated status. See Activate a Risk Provider for more information about activating this risk provider.