Third-party risk assessment integration

Information that provides a guidance and enables customization of IBM® Security Verify's (ISV) webhooks feature for third-party risk assessment integration. Third-party integration, third-party risk assessment, or external third-party provider refers to the same thing and are used interchangeably throughout this document.

Third-party risk assessment overview

Third-party risk allows Verify to get the risk evaluation done externally by using the webhooks feature. The risk that is calculated from the third-party provider is fed back to the Access policy framework and then back to the user application through SAML or OIDC components.

Third-party risk assessment also allows third-party integrations to provide attributes, which they support. These attributes can be further used in the access policy object to evaluate the risk associated with the user's application access.

The diagram captures the end-to-end flow.

The diagram shows the flow among the application, access policies, attributes, and webhooks in relation to the third party integrations.

Third-party risk assessment can be enabled in Verify by configuring following frameworks:

Access Policy
Provides configuration APIs, management of the access policies and the run-time flow for the external third-party risk provider. It must be associated with a realtime webhook configuration instance.
Realtime webhook
Provides the Verify internal components with access to the third-party risk integration provider over the public internet. The webhook provides HTTPS client connectivity to the external third-party risk provider. The configuration handles aspects such as:
  • The public internet location addresses where the provider might be contacted.
  • Secure authentication and connection to external provider web APIs.
  • Request and response transformation and mapping.
  • A set of "API Resources" that Verify internal run-time components might start.