PingFederate Server

Configuring the HTTP Header Authentication Selector

The HTTP Header Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found in a specified HTTP header.

About this task

Use this selector in one or more authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple HTML Form Adapters or between a Kerberos Adapter and an X.509 Adapter. For example, use this selector to choose an authentication source based on the user’s browser identified by the User-Agent HTTP header.

Do not use this selector to determine whether an authentication source with a higher level of assurance should be bypassed because HTTP request headers could potentially be forged.

Steps

  1. Go to Authentication → Policies → Selectors to open the Selectors window.

  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.

  3. On the Type tab, configure the basics of this authentication selector instance.

  4. On the Authentication Selector tab, click Add a new row to 'Results'.

  5. Enter an expression for use when inspecting the HTTP header value of the target HTTP header under Match Expression, and click Update.

    Wildcard entries are allowed, such as value.

  6. Optional: Repeat the previous step to add more expressions. Display order does not matter.

    Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

  7. In the Header Name field, enter the type of HTTP header you want the selector to inspect. This field is not case-sensitive.

  8. Optional: To disable case-sensitive matching between the HTTP header values from the requests and the Match Expression values specified on this window, clear the Case-Sensitive Matching check box.

    The Case-Sensitive Matching check box is selected by default.

  9. Complete the configuration. On the Summary tab, click Done. On the Selectors window, click Save.

Result

When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the value of the specified HTTP header matches one of the configured values, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the value of the specified HTTP header matches none of the configured values, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.

Example

To detect the most common browsers based on the User-Agent HTTP request header, configure an HTTP Header Authentication Selector instance as follows.

  1. Enter these entries under Match Expression.

    Browser Expression

    Chrome

    Chrome

    Firefox

    Firefox

    Safari

    Safari

  2. In the Header Name field, enter User-Agent.