Ping Identity Solution Guides Updated 80 11,567 people found this helpful Add to MyDocs | Hide Show Table of Contents Table of Contents Expand | Collapse Single Sign-On Multi-Factor Authentication Access Security Directory Developer APIs Adding multi-factor authentication to secure apps (PingID with PingAccess) Published: February 22, 2019 Components PingID PingAccess (version 4.0) PingFederate (version 9.1) Note: This use case was developed with the specified product versions. With more recent product versions, the general workflow should apply although specific menu options and screens might differ. Before you begin Verify that PingFederate and PingAccess are installed and running. Create an OIDC connection between PingFederate and PingAccess as described in Configure PingFederate for PingAccess connectivity. Register a PingID account as explained in Register the PingID Service. Set up a PingID adapter in PingFederate as described in Manage IdP adapters. Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID. Log in to PingFederate. Create a SAML authentication policy contract as described in Policy contracts. Click IdP Configuration → Authentication Policies → Policy Contracts. Create a New Contract that includes the attribute SAML_AUTHN_CTX. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector. Click IdP Configuration → Authentication Policies → Selectors. Create a new instance that has the following values: Parameter Value Instance Name PA Step Up Authentication Instance Id PAStepUpAuth Type Requested AuthN Content Authentication Selector Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector Add or Update AuthN Context Attribute true Selector Result Value attributes htmlForm pingid Create an authentication policy tree as described in Define authentication policies. Click IdP Configuration → Authentication Policies → Policies. Click Enable IdP Authentication Policies. Select your authentication selector from the Action list. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form. For the pingid success result, click Options to link the form source with the username attribute. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID. Optional: To remove any existing IdP adapter mappings, click OAuth settings → Token & Attribute Mapping → IdP Adapter Mapping. Add an OAuth authentication policy mapping. Click OAuth settings → Token & Attribute Mapping → Authentication Policy Contract Mapping. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract). Log in to PingAccess. Click Settings → Authentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list. Click Policies → Rules to add rules as described in Manage Rules. Create a Step Up Authentication rule for PingID. Create an HTML Form Authentication rule. Click Policies → Application → Root Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules. Related informationPingID Administration GuidePingFederate 9.1 Administrator's Manual
Adding multi-factor authentication to secure apps (PingID with PingAccess) Published: February 22, 2019 Components PingID PingAccess (version 4.0) PingFederate (version 9.1) Note: This use case was developed with the specified product versions. With more recent product versions, the general workflow should apply although specific menu options and screens might differ. Before you begin Verify that PingFederate and PingAccess are installed and running. Create an OIDC connection between PingFederate and PingAccess as described in Configure PingFederate for PingAccess connectivity. Register a PingID account as explained in Register the PingID Service. Set up a PingID adapter in PingFederate as described in Manage IdP adapters. Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID. Log in to PingFederate. Create a SAML authentication policy contract as described in Policy contracts. Click IdP Configuration → Authentication Policies → Policy Contracts. Create a New Contract that includes the attribute SAML_AUTHN_CTX. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector. Click IdP Configuration → Authentication Policies → Selectors. Create a new instance that has the following values: Parameter Value Instance Name PA Step Up Authentication Instance Id PAStepUpAuth Type Requested AuthN Content Authentication Selector Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector Add or Update AuthN Context Attribute true Selector Result Value attributes htmlForm pingid Create an authentication policy tree as described in Define authentication policies. Click IdP Configuration → Authentication Policies → Policies. Click Enable IdP Authentication Policies. Select your authentication selector from the Action list. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form. For the pingid success result, click Options to link the form source with the username attribute. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID. Optional: To remove any existing IdP adapter mappings, click OAuth settings → Token & Attribute Mapping → IdP Adapter Mapping. Add an OAuth authentication policy mapping. Click OAuth settings → Token & Attribute Mapping → Authentication Policy Contract Mapping. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract). Log in to PingAccess. Click Settings → Authentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list. Click Policies → Rules to add rules as described in Manage Rules. Create a Step Up Authentication rule for PingID. Create an HTML Form Authentication rule. Click Policies → Application → Root Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules. Related informationPingID Administration GuidePingFederate 9.1 Administrator's Manual
Adding multi-factor authentication to secure apps (PingID with PingAccess) Published: February 22, 2019 Components PingID PingAccess (version 4.0) PingFederate (version 9.1) Note: This use case was developed with the specified product versions. With more recent product versions, the general workflow should apply although specific menu options and screens might differ. Before you begin Verify that PingFederate and PingAccess are installed and running. Create an OIDC connection between PingFederate and PingAccess as described in Configure PingFederate for PingAccess connectivity. Register a PingID account as explained in Register the PingID Service. Set up a PingID adapter in PingFederate as described in Manage IdP adapters. Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID. Log in to PingFederate. Create a SAML authentication policy contract as described in Policy contracts. Click IdP Configuration → Authentication Policies → Policy Contracts. Create a New Contract that includes the attribute SAML_AUTHN_CTX. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector. Click IdP Configuration → Authentication Policies → Selectors. Create a new instance that has the following values: Parameter Value Instance Name PA Step Up Authentication Instance Id PAStepUpAuth Type Requested AuthN Content Authentication Selector Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector Add or Update AuthN Context Attribute true Selector Result Value attributes htmlForm pingid Create an authentication policy tree as described in Define authentication policies. Click IdP Configuration → Authentication Policies → Policies. Click Enable IdP Authentication Policies. Select your authentication selector from the Action list. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form. For the pingid success result, click Options to link the form source with the username attribute. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID. Optional: To remove any existing IdP adapter mappings, click OAuth settings → Token & Attribute Mapping → IdP Adapter Mapping. Add an OAuth authentication policy mapping. Click OAuth settings → Token & Attribute Mapping → Authentication Policy Contract Mapping. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract). Log in to PingAccess. Click Settings → Authentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list. Click Policies → Rules to add rules as described in Manage Rules. Create a Step Up Authentication rule for PingID. Create an HTML Form Authentication rule. Click Policies → Application → Root Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules. Related informationPingID Administration GuidePingFederate 9.1 Administrator's Manual