Hosting Environment
Operating System
Task Type
Draft Beta

Ping Identity Solution Guides

Updated 80

Add to MyDocs | Hide Show Table of Contents

Table of Contents

Adding multi-factor authentication to secure apps (PingID with PingAccess)

Published: February 22, 2019


  • PingID

  • PingAccess (version 4.0)

  • PingFederate (version 9.1)

Note: This use case was developed with the specified product versions. With more recent product versions, the general workflow should apply although specific menu options and screens might differ.

Before you begin

Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID.

Workflow as described in text.
  1. Log in to PingFederate.
  2. Create a SAML authentication policy contract as described in Policy contracts.
    1. Click IdP ConfigurationAuthentication Policies Policy Contracts.
    2. Create a New Contract that includes the attribute SAML_AUTHN_CTX.
  3. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector.
    1. Click IdP ConfigurationAuthentication PoliciesSelectors.
    2. Create a new instance that has the following values:
      Parameter Value
      Instance Name PA Step Up Authentication
      Instance Id PAStepUpAuth
      Type Requested AuthN Content Authentication Selector
      Class Name
      Add or Update AuthN Context Attribute true
      Selector Result Value attributes
      • htmlForm
      • pingid
  4. Create an authentication policy tree as described in Define authentication policies.
    1. Click IdP ConfigurationAuthentication PoliciesPolicies.
    2. Click Enable IdP Authentication Policies.
    3. Select your authentication selector from the Action list.
    4. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form.
    5. For the pingid success result, click Options to link the form source with the username attribute.
    6. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID.
  5. Optional: To remove any existing IdP adapter mappings, click OAuth settingsToken & Attribute MappingIdP Adapter Mapping.
  6. Add an OAuth authentication policy mapping.
    1. Click OAuth settingsToken & Attribute MappingAuthentication Policy Contract Mapping.
    2. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier.
    3. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract).
  7. Log in to PingAccess.
  8. Click SettingsAuthentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list.
  9. Click PoliciesRules to add rules as described in Manage Rules.
    1. Create a Step Up Authentication rule for PingID.
    2. Create an HTML Form Authentication rule.
  10. Click PoliciesApplicationRoot Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules.