Adding ID DataWeb policy decisions to your authentication policy
By modifying your PingFederate authentication policy to include the policy decision ("allow", "obligation", and "deny") from the ID DataWeb API, you can change authentication requirements dynamically based on security risk level.
About this task
These steps are designed to help you add to an existing authentication policy. You can find general information about configuring authentication policies in Authentication policies in the PingFederate documentation.
Steps
-
In the PingFederate administrative console, go to Authentication > Policies > Policies.
-
Select the IdP Authentication Policies checkbox.
-
Open an existing authentication policy, or click Add Policy.
Learn more in Defining authentication policies in the PingFederate documentation.
-
In the Policy area, in the Select list, select an ID DataWeb IdP Adapter instance.
-
Map the user ID into the ID DataWeb IdP Adapter instance:
-
Under the ID DataWeb IdP Adapter instance, click Options.
-
On the Options dialog, in the Source list, select a previous authentication source that collects the user ID.
-
In the Attribute list, select the user ID. Click Done.
-
-
Define policy paths based on risk results:
-
Under the ID DataWeb IdP Adapter instance, click Rules.
-
On the Rules dialog, in the Attribute Name list, select policyDecision.
-
In the Condition list, select equal to.
-
In the Value field, enter
approve
,obligation
, ordeny
. -
In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.
-
If you want to add more authentication paths, click Add and repeat steps a-e.
-
Click Done.
-
-
Configure each of the authentication paths, including Fail, Success, and the paths that you defined in the Rules dialog.
In case the ID DataWeb API is unreachable or returns an error, we recommend that you allow users to continue to sign on by satisfying stricter authentication requirements.
You can do this in your authentication policy by setting the Fail outcome of the ID DataWeb IdP Adapter instance to point to a second authentication factor, as shown in the following example.
Alternately, you can do this in your ID DataWeb IdP Adapter instance by setting the Failure mode as shown in Configuring an adapter instance.
-
Click Done.
-
In the Policies window, click Save.