PingFederate Server

Applying policy contracts or identity profiles to authentication policies

To apply an authentication policy contract to a policy, select an authentication policy contract or a local identity profile as the last action of one or more closed-ended paths and configure fulfillment for each contract.

About this task

An authentication policy contract can harness attribute values obtained from all authentication sources along the path leading up to it. Administrators can select the same authentication policy contract or local identity profile for different closed-ended paths, in one or more authentication policies, and fulfill them differently to suit the requirements. To enforce the same set of authentication policies in multiple use cases, map the authentication policy contract to the applicable Browser SSO connections and OAuth grant-mapping configuration.

Steps

  1. Go to Authentication → Policies → Policies. On the Policies window, select the applicable authentication policy.

  2. On the Policy window, locate all closed-ended paths in the policy.

    A policy path is closed-ended if it contains one or more authentication sources, with or without any selector instances. A closed-ended path can optionally end with an authentication policy contract or a local identity profile.

    A policy path is also closed-ended if it ends with an instance of a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection. Because the custom selector returns an authentication source, such a closed-ended path cannot end with an authentication policy contract or a local identity profile. Instead, it must end with an action of Done or Restart.

    Consider the following sample policy.

    A screen capture illustrating a sample policy with four closed-ended paths and one open-ended path

    This policy has two selector instances, Test and Retail, two identity provider (IdP) adapter instances, and five policy paths:

    • Test → No → HTML Form → Fail

    • Test → No → HTML Form → Success → Retail → No

    • Test → No → HTML Form → Success → Retail → Yes → PingID → Fail

    • Test → No → HTML Form → Success → Retail → Yes → PingID → Success

    • Test → Yes

    The first four paths are closed-ended while the last path is open-ended.

  3. Select Done as the policy action for the following paths:

    • Test → No → HTML Form → Fail

    • Test → No → HTML Form → Success → Retail → Yes → PingID → Fail

      Result:

    At runtime, PingFederate terminates the request and returns an error message to the user.

  4. Select the applicable authentication policy contract or local identity profile as the policy action for the rest of the closed-ended paths:

    • Test → No → HTML Form → Success → Retail → No

    • Test → No → HTML Form → Success → Retail → Yes → PingID → Success

      Suppose your use case does not involve consumer authentication, registration, and profile management. It makes sense to select an authentication policy contract for the PingID → Success result, because the users have successfully met all your authentication requirements.

      At runtime, PingFederate fulfills the authentication policy contract and carries on with the request.

    Depending on your use case, you might also select an authentication policy contract for the PingID → Fail result, possibly with an attribute indicating that the users have failed a certain part of your authentication requirements, and make other authorization decision using the Token Authorization framework in the applicable connections later.

  5. For each selected authentication policy contract, if any, click Contract Mapping and then complete the Manage Authentication Policies → Authentication Policy Contract Mapping workflow to complete the configuration. For more information, see Configuring contract mapping.

  6. For each selected local identity profile, if any, click Local Identity Mapping and then complete the Manage Authentication Policies → Inbound Mapping & Contract Fulfillment workflow to complete the configuration. For more information, see Configuring local identity mapping.

  7. Select Continue as the policy action for the open-ended path Test → Yes.

    Result:

    At runtime, PingFederate skips to the next policy. Your policy should be similar to the following sample.

    A screen capture illustrating a sample policy with four closed-ended paths and one open-ended path
  8. To close the Policy window, click Done.

  9. On the Policies window, click Save.