PingAccess

Adding web session scope rules

Add web session scope rules, which examine the contents of the PingFederate validation response and determine whether to grant access to a backend target site based on a match found between the scopes of the validation response and the scope specified in the rule.

Before you begin

Support for the web session support rule might require the PingFederate access token to contain the scope superuser. To configure this, see Configuring access token attributes for superuser scope in PingFederate.

Steps

  1. Click Access and then go to Rules → Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select Web Session Scope.

  5. From the Scope list, select the scope you want to match to values returned from the access token.

    This is one scope requirement in the set of scopes associated with the access token.

  6. From the Rejection Handler list, select the rejection handler you want to associate with this rule.

  7. Click Save.

Configuring access token attributes for superuser scope in PingFederate

A resource might require that the access token contains the scope superuser. Configure the superuser scope in PingFederate.

Steps

  1. Enable Expressions within PingFederate.

  2. Extend the Access Token Attribute Contract to include the value scope.

  3. Map the following value into the access token attribute contract.

    Contract Source Value

    scope

    Expression

    @com.pingidentity.sdk.oauth20.Scope@encode(#this.get("context.OAuthScopes").getValuesAsHashSet())

  4. Manage the OpenID Connect policy to add the following information:

    1. Attribute Contract— To extend the contract to include the scope attribute, select Override Default Delivery using the ID Token.

      This step is not applicable to PingFederate 9.0 and earlier. Instead, in the Manage Policy window, select the Include User Info in ID Token check box.

    2. Attribute Scopes— From the Scope list, select openid, and from the Attribute list, select scope.

      This feature does not exist in PingFederate versions earlier than 9.0. To work around this issue:

      1. Ensure PingAccess is configured to include profile in the list of Web Session scopes.

      2. In PingFederate, ensure the profile scope is defined in Scope Management.

      3. During authentication, the user must accept usage of the profile scope. If the user does not accept usage of the profile scope, then the web session scope rule will always fail for that user.

    3. Contract Fulfillment— Modify the scopeAttribute Contract to use Access Token as the Source with a Value of scope.