Understand Risk Providers

Adaptive Security uses the concept of risk providers to allow identity domain administrators and security administrators to configure various contextual and threat events to be analyzed within Oracle Identity Cloud Service, and also to configure and consume user risk scores from third-party risk providers.

A default risk provider within Oracle Identity Cloud Service is seeded automatically with a list of supported contextual and threat events, such as too many unsuccessful login attempts, too many unsuccessful MFA attempts, access from unknown devices, access from unfamiliar locations, access from suspicious IP addresses, and impossible travel between locations. Administrators can enable events of interest, and specify weighting or severity for each of these events. The system uses the configured weighting to compute the user’s Oracle Identity Cloud Service risk score.


Consider a user who logs into Oracle Identity Cloud Service using a new device, say a laptop. Because the device is unknown, the system won't recognize the device, and will the trigger the Access from an unknown login device event and get the weighting from the configuration. There are six events in the risk provider configuration: Access from an unknown device, Too many unsuccessful login attempts, Too many unsuccessful MFA attempts, Access from suspicious IP addresses, Access from an unfamiliar location, and Impossible travel between locations.

The administrator can assign weighting to these events that correspond to those risk ranges. Consider the weighting for each of the risks as follows: low risk range (0-25), medium risk range (26-75) and high risk range (76-100). If the administrator wants to consider the user login from an unknown device to be of low risk, then the administrator sets the weighting for that event to be less than 25. If the administrator wants to consider the same event to be of medium risk, then the administrator sets the weighting for that event to be between 26 and 75. Any value set above 75 for that event is considered as high risk. If the user hits more than one event, then the risk score will be a combination of two weightings and will correspond to whichever risk level the combination points. The user's risk scores are evaluated continuously and are reduced based on the remediation actions that are taken by the user, such as successful logins and password resets.

Administrators can add additional risk providers to obtain a user’s risk score from the Symantec third-party risk engine. This risk engine provides additional intelligence on the user’s behavior across heterogeneous systems with which Oracle Identity Cloud Service isn’t directly involved.

To provide a consolidated risk profile of the user at any time, Oracle Identity Cloud Service takes the highest level of the risk scores of both the default Oracle Identity Cloud Service risk provider and the configured third-party risk providers, and qualifies the user as a high-risk, medium-risk, or low-risk user. For instance, if a user’s risk score from the default risk provider is within the Low range, but the risk score from a third-party risk provider is within the Medium range, then the user’s consolidated risk level is set to Medium.

Administrators can then use the Oracle Identity Cloud Service risk score, third-party risk score, or consolidated user risk level as conditions that can be used with Oracle Identity Cloud Service sign-on policies to enforce a remediation action, such as allowing or denying the user from accessing Oracle Identity Cloud Service and its protected applications and resources, requiring the user to provide a second factor to authenticate into Oracle Identity Cloud Service, and so on.