--- title: Adding web session scope rules description: Add web session scope rules, which examine the contents of the PingFederate validation response and determine whether to grant access to a backend target site based on a match found between the scopes of the validation response and the scope specified in the rule. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_web_session_scope_rules canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_web_session_scope_rules.html revdate: February 6, 2023 section_ids: before-you-begin: Before you begin steps: Steps configuring-access-token-attributes-for-superuser-scope-in-pingfederate: Configuring access token attributes for superuser scope in PingFederate steps-2: Steps --- # Adding web session scope rules Add web session scope rules, which examine the contents of the PingFederate validation response and determine whether to grant access to a backend target site based on a match found between the scopes of the validation response and the scope specified in the rule. ## Before you begin Support for the web session support rule might require the PingFederate access token to contain the scope `superuser`. To configure this, see [Configuring access token attributes for superuser scope in PingFederate](pa_configuring_access_token_attributes_for_superuser_scope_in_pf.html). ## Steps 1. Click **Access**, then go to **Rules > Rules**. 2. Click **[icon: plus, set=fa]Add Rule**. 3. In the **Name** field, enter a unique name up to 64 characters long. Special characters and spaces are allowed. 4. From the **Type** list, select **Web Session Scope**. 5. From the **Scope** list, select the scope you want to match to values returned from the access token. | | | | - | ------------------------------------------------------------------------------------ | | | This is one scope requirement in the set of scopes associated with the access token. | 6. From the **Rejection Handler** list, select the rejection handler you want to associate with this rule. 7. Click **Save**. ## Configuring access token attributes for superuser scope in PingFederate A resource might require that the access token contains the scope `superuser`. Configure the `superuser` scope in PingFederate. ### Steps 1. [Enable Expressions](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_enable_disable_express.html) within PingFederate. 2. [Extend the Access Token Attribute Contract](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_defining_access_token_attribute_contract.html) to include the value `scope`. 3. Map the following value into the [access token attribute contract](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_wstrusttokenprocessormappingtasklet_wstrustattrcontractfulfillmentstate.html). | Contract | Source | Value | | -------- | ---------- | -------------------------------------------------------------------------------------------------- | | `scope` | Expression | @com.pingidentity.sdk.oauth20.Scope\@encode(#this.get("context.OAuthScopes").getValuesAsHashSet()) | 4. Manage the [OpenID Connect policy](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oidc_policies.html) to add the following information: 1. [Attribute Contract](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_policymanagementtasklet_createpolicycontractstate.html)— To extend the contract to include the `scope` attribute, select **Override Default Delivery** using the **ID Token**. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This step is not applicable to PingFederate 9.0 and earlier. Instead, in the **Manage Policy** window, select the **Include User Info in ID Token** check box. | 2. [Attribute Scopes](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_policymanagementtasklet_attributescopesstate.html)— From the **Scope** list, select `openid`, and from the **Attribute** list, select `scope`. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This feature does not exist in PingFederate versions earlier than 9.0. To work around this issue:1) Ensure PingAccess is configured to include `profile` in the list of **Web Session** scopes. 2) In PingFederate, ensure the `profile` scope is [defined](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/rbk1564002990993.html) in **Scope Management**. 3) During authentication, the user must accept usage of the `profile` scope. If the user does not accept usage of the `profile` scope, then the web session scope rule will always fail for that user. | 3. [Contract Fulfillment](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_cibapolicymanagementtasklet_cibapolicycontractfulfillmentstate.html)— Modify the `scope`**Attribute Contract** to use `Access Token` as the **Source** with a **Value** of `scope`.