Product
Hosting Environment
Operating System
Capability
Task Type
Draft Beta
Close

Ping Identity Use Cases

Updated 14

Add to MyDocs | Hide Show Table of Contents

Table of Contents

Adding Multi-Factor Authentication to Secure Apps (PingID with PingAccess)

Published: January 25, 2019

Components

  • PingID

  • PingAccess (version 4.0 or later)

  • PingFederate (version 8.1 or later)

Before you begin

Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID.

Workflow as described in text.
  1. Log in to PingFederate.
  2. Create a SAML authentication policy contract as described in Policy contracts in the PingFederate Administration Guide.
    1. Click IdP ConfigurationAuthentication Policies Policy Contracts.
    2. Create a New Contract that includes the attribute SAML_AUTHN_CTX.
  3. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector in the PingFederate Administration Guide.
    1. Click IdP ConfigurationAuthentication PoliciesSelectors.
    2. Create a New Instance that has the following values:
      Parameter Value
      Instance Name PA Step Up Authentication
      Instance Id PAStepUpAuth
      Type Requested AuthN Content Authentication Selector
      Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector
      Add or Update AuthN Context Attribute true
      Selector Result Value attributes
      • htmlForm
      • pingid
  4. Create an authentication policy tree as described in Define authentication policies in the PingFederate Administration Guide.
    1. Click IdP ConfigurationAuthentication PoliciesPolicies.
    2. Click Enable IdP Authentication Policies.
    3. Select your authentication selector from the Action list.
    4. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form.
    5. For the pingid success result, click Options to link the form source with the username attribute.
    6. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID.
  5. Optional: To remove any existing IdP adapter mappings, click OAuth settingsToken & Attribute MappingIdp Adapter Mapping.
  6. Add an OAuth Autentication Policy Mapping.
    1. Click OAuth settingsToken & Attribute MappingAuthentication Policy Contract Mapping.
    2. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier.
    3. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract).
  7. Log in to PingAccess.
  8. Click SettingsAuthentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list in the PingAccess documentation.
  9. Click PoliciesRules to add rules as described in Manage Rules in the PingAccess documentation.
    1. Create a Step Up Authentication rule for PingID.
    2. Create an HTML Form Authentication rule.
  10. Click PoliciesApplicationRoot Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules in the PingAccess documentation.
  11. Test.