Configuring the Extended Property Authentication Selector
The Extended Property Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between a selector result value and an extended property value from the invoking browser-based SSO connections or OAuth client.
Steps
-
Go to Authentication → Policies → Selectors to open the Selectors window.
-
On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
-
On the Type tab, configure the basics of this authentication selector instance.
-
On the Authentication Selector tab, select a property from the Extended Property list.
The extended property is the property that this selector instance should look for from the invoking connection or client, and compare the populated property value, or values if it is a multivalued extended property, against the selector result values defined in this selector instance.
-
On the Selector Result Values tab, specify one or more expected result values.
-
Enter the exact, case-sensitive, value under Result Values and click Add.
-
Optional: Add more values to differentiate criteria for authentication selection.
Display order might matter.
Expected result values are always sorted alphabetically in ascending order here.
When you place this selector instance as a checkpoint in an authentication policy, each selector result value forms a policy path. The display order of the resulting policy paths matches the display order here, which may impact the policy outcome. When the policy engine reaches this selector instance, the selector starts from top to bottom. As soon as it finds a match, it exits and returns true. The matching mechanism varies, depending on the type of the extended property selected in step 4.
- Matching mechanism for single-value extended properties
-
The selector compares the property value populated in the invoking connection or client against the configured selector result value. When multiple selector result values exist, the selector starts from the top. If the current selector result value is a case-sensitive exact match, it returns true and exits. Otherwise, it moves on to the next selector result value and tries again.For example, assume this selector instance, named ExtProps, is configured with expected result values of
Alpha
,Bravo
, andCharlie
. The invoking connection is populated with an extended property value ofBravo
, and this selector instance is placed as a checkpoint in an authentication policy as follows.ExtProps +--Alpha | <policy path> | +--Bravo | <policy path> | +--Charlie <policy path>
Given this setup, the selector returns true and exits when it reaches the second selector result value. The policy engine regains control of the request and proceeds with the policy path configured for the selector result value of
Bravo
. - Matching mechanism for multivalued extended properties
-
The selector compares the property values populated in the invoking connection or client against the configured selector result value. If any one of the property values from the invoking connection or client is a case-sensitive exact match, the selector returns true and exits. When multiple selector result values exist, the selector starts from the top. If the current selector result value is a case-sensitive exact match to any one of the property values from the invoking connection or client, it returns true and exits. Otherwise, it moves on to the next selector result value and tries again.For example, assume the previous selector instance remains. The invoking connection is populated with extended property values of
Alpha
andCharlie
, and this selector instance remains as a checkpoint in an authentication policy.In this scenario, the selector returns true and exits when it reaches the first selector result value. The policy engine regains control of the request and proceeds with the policy path configured for the selector result value ofAlpha
. Even thoughCharlie
, the expected selector result value, is also a case-sensitive exact match toCharlie
, one of the property values from the invoking connection, because the selector has already exited and returned control to the policy engine when it reachesAlpha
, the policy engine will never execute the policy path configured for the selector result value ofCharlie
.
Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.
-
-
include::partial$pf_rc_configureselectorinstance_completeconfiguration.adoc[tags=pf_task_configureSelectorInstance_completeConfiguration]
Example
-
Go to System → Server → Extended Properties.
-
On the Extended Propertieswindow, define a multivalued extended property, and name it
configStatus
. -
Create an SP connection with the following characteristics:
-
On the Extended Properties window, add two values for the
configStatus
extended property:DEV
andTEST
. -
On the Attribute Source Mapping window, map an authentication policy contract to the service provider (SP) connection. The policy contract name is
APC
.
-
-
Create an instance of the Extended Property Authentication Selector with the following characteristics:
-
On the Type tab, name the selector instance
ExProps
. -
On the Authentication Selector tab, select
configStatus
from the list. -
On the Selector Result Values tab, enter
DEV
andTEST
.
-
-
Create and activate the following identity provider (IdP) authentication policy.
ExtProps +--DEV | OpenToken | +--Fail: Done | +--Success: APC | +--TEST HTML +--Fail: Done +--Success: APC
Configure each
APC
to fulfill values obtained from its preceding adapter instance.
When processing SSO requests intended for this SP connection, because the policy engine is able to match one of the populated property values, DEV
, from the SP connection to the first selector result value, also DEV
, it will always invoke the OpenToken IdP Adapter instance based on the DEV
policy path. The TEST
policy path is never executed for this SP connection.
On the other hand, if you remove DEV
, an extended property value, from the SP connection, the policy engine will route SSO requests intended for this SP connection to the HTML Form Adapter instance based on the TEST
policy path. The DEV
policy path is never executed for this SP connection.