PingFederate Server

Configuring the Session Authentication Selector

The Session Authentication Selector enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source.

Steps

  1. Go to Authentication → Policies → Selectors to open the Selectors window.

  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.

  3. On the Type tab, configure the basics of this authentication selector instance.

  4. On the Authentication Selector window, click Add a new row to 'Authentication Sources'.

  5. Select an IdP adapter instance or an IdP connection from the list, enter a value under Result Value for the selected authentication source, then click Update.

    The Result Value field controls the label shown for the policy path created by the selected authentication source.

    You must enable authentication sessions for the selected authentication source, or globally for all authentication sources, on theSessions window. Click Manage Sessions to review and configure authentication sessions.

  6. Optional: Repeat the previous step to add more authentication sources.

    Display order might matter.

    When you place this selector instance as a checkpoint in an authentication policy, each selector result value forms a policy path. The display order of the resulting policy paths matches the display order here, which may impact the policy outcome. When the policy engine reaches this selector instance, the selector starts from top to bottom. It exits and returns true as soon as it finds a match.

    As needed, use the up and down arrows to re-arrange the display order here, which also re-prioritizes the resulting policy paths.

    In addition, when no session exists for any of the defined sources, the result value for the first authentication source is returned unless the Enable 'No Session' Result Value check box is selected, in which case an additional policy path is added as the last path when this selector instance is placed as a checkpoint in an authentication policy.

    Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

  7. Optional: Select the Enable 'No Session' Result Value check box to create a separate policy path for the scenario where no session exists for any of the defined sources.

    This check box is not selected by default.

  8. Complete the configuration. On the Summary tab, click Done. On the Selectors window, click Save.

Result

When you place this selector instance as a checkpoint in an authentication policy, each selector result value forms a policy path that you can define the desired authentication experience and requirements.

Example

The following screen capture illustrates a configuration where three authentication sources are defined and the Enable 'No Session' Result Value check box is selected.

A screen capture illustrating a configuration where two authentication sources are defined and the Enable 'No Session' Result Value check box is selected.

When this selector instance (named Intranet sessions) is placed in a policy, four policy paths are formed.

A screen capture illustrating three policy paths.