Ping Identity Use Cases Updated 14 11,567 people found this helpful Add to MyDocs | Hide Show Table of Contents Table of Contents Expand | Collapse Applications Authentication Directory Management Adding Multi-Factor Authentication to Secure Apps (PingID with PingAccess) Published: January 25, 2019 Components PingID PingAccess (version 4.0 or later) PingFederate (version 8.1 or later) Before you begin Verify that PingFederate and PingAccess are installed and running. Create an OIDC connection between PingFederate and PingAccess as described in Configure PingFederate for PingAccess connectivity. Register a PingID account as explained in Register the PingID Service in the PingID Administration Guide. Set up a PingID adapter in PingFederate as described in Manage IdP adapters in the PingFederate documentation. Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID. Log in to PingFederate. Create a SAML authentication policy contract as described in Policy contracts in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Policy Contracts. Create a New Contract that includes the attribute SAML_AUTHN_CTX. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Selectors. Create a New Instance that has the following values: Parameter Value Instance Name PA Step Up Authentication Instance Id PAStepUpAuth Type Requested AuthN Content Authentication Selector Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector Add or Update AuthN Context Attribute true Selector Result Value attributes htmlForm pingid Create an authentication policy tree as described in Define authentication policies in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Policies. Click Enable IdP Authentication Policies. Select your authentication selector from the Action list. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form. For the pingid success result, click Options to link the form source with the username attribute. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID. Optional: To remove any existing IdP adapter mappings, click OAuth settings → Token & Attribute Mapping → Idp Adapter Mapping. Add an OAuth Autentication Policy Mapping. Click OAuth settings → Token & Attribute Mapping → Authentication Policy Contract Mapping. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract). Log in to PingAccess. Click Settings → Authentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list in the PingAccess documentation. Click Policies → Rules to add rules as described in Manage Rules in the PingAccess documentation. Create a Step Up Authentication rule for PingID. Create an HTML Form Authentication rule. Click Policies → Application → Root Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules in the PingAccess documentation. Test. Related informationPingID Administration GuidePingFederate 9.1 Administrator's Manual
Adding Multi-Factor Authentication to Secure Apps (PingID with PingAccess) Published: January 25, 2019 Components PingID PingAccess (version 4.0 or later) PingFederate (version 8.1 or later) Before you begin Verify that PingFederate and PingAccess are installed and running. Create an OIDC connection between PingFederate and PingAccess as described in Configure PingFederate for PingAccess connectivity. Register a PingID account as explained in Register the PingID Service in the PingID Administration Guide. Set up a PingID adapter in PingFederate as described in Manage IdP adapters in the PingFederate documentation. Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID. Log in to PingFederate. Create a SAML authentication policy contract as described in Policy contracts in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Policy Contracts. Create a New Contract that includes the attribute SAML_AUTHN_CTX. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Selectors. Create a New Instance that has the following values: Parameter Value Instance Name PA Step Up Authentication Instance Id PAStepUpAuth Type Requested AuthN Content Authentication Selector Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector Add or Update AuthN Context Attribute true Selector Result Value attributes htmlForm pingid Create an authentication policy tree as described in Define authentication policies in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Policies. Click Enable IdP Authentication Policies. Select your authentication selector from the Action list. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form. For the pingid success result, click Options to link the form source with the username attribute. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID. Optional: To remove any existing IdP adapter mappings, click OAuth settings → Token & Attribute Mapping → Idp Adapter Mapping. Add an OAuth Autentication Policy Mapping. Click OAuth settings → Token & Attribute Mapping → Authentication Policy Contract Mapping. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract). Log in to PingAccess. Click Settings → Authentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list in the PingAccess documentation. Click Policies → Rules to add rules as described in Manage Rules in the PingAccess documentation. Create a Step Up Authentication rule for PingID. Create an HTML Form Authentication rule. Click Policies → Application → Root Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules in the PingAccess documentation. Test. Related informationPingID Administration GuidePingFederate 9.1 Administrator's Manual
Adding Multi-Factor Authentication to Secure Apps (PingID with PingAccess) Published: January 25, 2019 Components PingID PingAccess (version 4.0 or later) PingFederate (version 8.1 or later) Before you begin Verify that PingFederate and PingAccess are installed and running. Create an OIDC connection between PingFederate and PingAccess as described in Configure PingFederate for PingAccess connectivity. Register a PingID account as explained in Register the PingID Service in the PingID Administration Guide. Set up a PingID adapter in PingFederate as described in Manage IdP adapters in the PingFederate documentation. Follow these steps to synchronize a session for your web apps between PingFederate and PingAccess through PingID. Log in to PingFederate. Create a SAML authentication policy contract as described in Policy contracts in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Policy Contracts. Create a New Contract that includes the attribute SAML_AUTHN_CTX. Create an authentication selector as described in Configure the Requested AuthN Context Authentication Selector in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Selectors. Create a New Instance that has the following values: Parameter Value Instance Name PA Step Up Authentication Instance Id PAStepUpAuth Type Requested AuthN Content Authentication Selector Class Name com.pingidentity.pf.selectors.saml.SamLAuthnContextAdapterSelector Add or Update AuthN Context Attribute true Selector Result Value attributes htmlForm pingid Create an authentication policy tree as described in Define authentication policies in the PingFederate Administration Guide. Click IdP Configuration → Authentication Policies → Policies. Click Enable IdP Authentication Policies. Select your authentication selector from the Action list. For the htmlForm success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a user name submitted on an HTML form. For the pingid success result, click Options to link the form source with the username attribute. For the pingid success result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the user name through PingID. Optional: To remove any existing IdP adapter mappings, click OAuth settings → Token & Attribute Mapping → Idp Adapter Mapping. Add an OAuth Autentication Policy Mapping. Click OAuth settings → Token & Attribute Mapping → Authentication Policy Contract Mapping. From the Authentication Policy Contract menu, select the authentication policy contract that you created earlier. Click Add Mapping and set the USER_NAME and USER_KEY values to subject(Authentication Policy Contract). Log in to PingAccess. Click Settings → Authentication Requirements to add access settings for htmlForm and pingid. See Configure an authentication requirements list in the PingAccess documentation. Click Policies → Rules to add rules as described in Manage Rules in the PingAccess documentation. Create a Step Up Authentication rule for PingID. Create an HTML Form Authentication rule. Click Policies → Application → Root Resource and drop the Step Up Authentication rule from the previous step. See Manage Rules in the PingAccess documentation. Test. Related informationPingID Administration GuidePingFederate 9.1 Administrator's Manual