PingAccess

Adding an authentication requirements rule

Add an authentication requirements rule in PingAccess to limit access to resources or applications protected by PingAccess based on the access control rule (ACR) values returned by the PingFederate request AuthN context authentication selector.

Before you begin

Verify that you have:

  • A PingFederate configuration that uses the Requested AuthN Context Authentication Selector

  • A configured authentication list

About this task

An authentication requirements rule allows authentication requirements to be applied when a policy decision is being made by the PingAccess engine, allowing an entire application or individual resources to require a particular authentication type.

This rule also allows for configurations that require more secure authentication methods, such as multi-factor authentication (MFA). For example, a website might allow a user to authenticate and view personal data using only a user name and password, but editing their personal data could require an additional PingID verification step. When used in this manner, an additional step-up authentication event is automatically triggered.

To ensure that step-up authentication is triggered, this rule should always be positioned first in a list of rules, rule sets, or rule set groups, regardless of whether the criteria is Any or All.

PingAccess uses rules to trigger different authentication paths in PingFederate. If the authentication requirements rule isn’t the first item in a list, then it isn’t sent to PingFederate in the initial request.

Steps

  1. Click Access, then go to Rules > Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select Authentication Requirements.

  5. Select an Authentication Requirements List.

  6. Select a Minimum Authentication Requirement.

    The possible values for the Minimum Authentication Requirement are derived from the selected Authentication Requirements list.

  7. Optional: In the Max Age (M) field, enter a maximum time since the last authentication. If the user’s session has not authenticated in this timeframe, the user is prompted to reauthenticate.

    A value of -1 indicates no maximum age.

  8. Click Save.