--- description: Configure PingFederate so that only members of a specific LDAP group are authorized to access the application. component: pingauthorize version: 10.1 page_id: pingauthorize:installing_and_uninstalling_pingauthorize:paz_config_pf_group_access_paz canonical_url: https://docs.pingidentity.com/pingauthorize/10.1/installing_and_uninstalling_pingauthorize/paz_config_pf_group_access_paz.html section_ids: configuring-pingfederate-group-access-for-pingauthorize: Configuring PingFederate group access for PingAuthorize about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result: --- # Configuring PingFederate group access for PingAuthorize Configure PingFederate so that only members of a specific LDAP group are authorized to access the application. ## About this task [Configuring PingFederate for PingAuthorize](paz_config_pf_authentication_paz.html) and [Configuring PingAuthorize Policy Editor to use PingFederate](paz_config_paz_authentication_pf.html) explain how to configure the PingAuthorize Policy Editor and PingFederate so that any authenticated user can access the PingAuthorize Policy Editor. This task describes how to configure PingFederate to limit access to a specific LDAP group. ## Steps 1. Create an LDAP group in PingDirectory and add the desired user (`user.20`) to the group. 1. Create a file named `create-policy-writer-group.ldif` and add the following. ``` dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=PolicyWriter,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: PolicyWriter ou: groups uniquemember: uid=user.20,ou=People,dc=example,dc=com ``` 2. Use the PingDirectory `ldapmodify` tool to load the newly created `ldif` file. ``` /opt/PingDirectory/bin/ldapmodify -a -f create-policy-writer-group.ldif ``` 2. Add the group membership claim requirement in PingFederate. 1. In PingFederate, go to **Applications > OAuth > Access Token Mappings**. 2. Select the PingDirectory mapping from the list, and then on the **Attribute Sources & User Lookup** tab, select the PingDirectory source. 3. Click the **LDAP Directory Search** tab, and in the **Root Object Class** list, select **Show All Attributes**. 4. Add the **isMemberOf** attribute, and then click **Done** to return to **Access Token Attribute Mapping**. ![Screen capture of the LDAP Directory Search tab on the Access Token Attribute Mapping window with isMemberOf added as specified and the Save button in the lower right](_images/okn1639609156619.png) 5. Go to the **Issuance Criteria** tab and add a new row with the following values: | Column | Value | | ------------------ | ----------------------------------------------- | | **Source** | **LDAP (pingdir)** | | **Attribute Name** | **isMemberOf** | | **Condition** | **multi-value contains (case sensitive)** | | **Value** | **cn=PolicyWriter,ou=groups,dc=example,dc=com** | ![Screen capture of the Issuance Criteria tab on the Access Token Attribute Mapping window with the previously described attributes added](_images/kbs1639611344459.png) 6. Click **Save**. ### Result: Only `user.20` can access the PingAuthorize Policy Editor. 3. Verify that only specified users can access the PingAuthorize Policy Editor. | | | | - | -------------------------------------------------------------- | | | Clear any active SSO sessions before you sign on as each user. | 1. Sign on as `user.0`. ### Result: Access is denied. 2. Sign on as `user.20`. ### Result: Access is granted.