PingFederate Server

Configuring a sample use case

Use the following sample setup to configure one of the common use cases where you have two categories of service providers (SPs).

Before you begin

For this sample use case, you must have the following components:

  • An authentication policy contract

  • Multiple SP connections. All connections use the same authentication policy contract as their sole authentication source

  • Instances of the required adapters

  • An instance of the Connection Set Authentication Selector to isolate high-value connections from the rest of the connections

About this task

The Session Authentication Selector lets PingFederate choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source.

You need to enforce authentication requirements on two categories of service provider connections:

  • For high-value connections, users must authenticate using the X.509 Adapter followed by the PingID Adapter.

  • For low-value connections, users can authenticate using the HTML Form Adapter or the X.509 Adapter followed by the PingID Adapter.

To fulfill this use case, follow these configuration steps.

Steps

  1. Go to Authentication → Policies → Selectors.

  2. Create an instance of the Session Authentication Selector to account for authentication sessions acceptable for low-value connections.

    1. Click Create New Instance.

    2. On the Type tab, enter a name (for example, Sessions for low-value connections) and an ID. Then select Session Authentication Selector from the list.

    3. On the Authentication Selector tab, leave the Enable 'No Session' Result Value check box clear; then configure the following authentication source-to-result value entries.

      Authentication source (adapter instance name) Result value (policy path label)

      HTML

      SSO

      X.509

      Mutual TLS and MFA

      Example:

      The following screen capture illustrates the setup.

      Create Authentication Selector Instance window

    4. On the Summary tab, click Done.

    5. On the Manage Authentication Selector Instances window, click Save to keep the newly configured authentication selector instance.

  3. Go to Authentication → Policies → Policies.

  4. On the Policies window, define an authentication policy for high-value connections.

    1. Click Add Policy.

    2. In the Name field, enter a name for the policy, such as High-value connections.

    3. From the Policy list, select the instance of the Connect Set Authentication Selector that isolates high-value connections from the rest.

    4. For the No policy path, select Continue.

    5. For the Yes policy path, select the X.509 Adapter instance.

    6. For the X.509 Adapter instance → Fail policy path, select Done.

    7. For the X.509 Adapter instance → Success policy path, select the PingID Adapter instance.

    8. Below the PingID Adapter instance, click Options.

    9. On the Incoming User ID window, select the X.509 Adapter instance as the source and username as the attribute.

      This step applies only to adapters that support a user identifier to be passed in from an earlier authentication source. The PingID Adapter requires this user identifier. For more information, see Specifying incoming user IDs.

    10. For the X.509 Adapter instance → Success → PingID Adapter instance → Fail policy path, select Done.

    11. For the X.509 Adapter instance → Success → PingID Adapter instance → Success policy path, select the authentication policy contract.

    12. Complete the contract mapping for the authentication policy contract.

      Example:

      The following illustrates the policy created for high-value connections.

      A screen capture illustrating a sample policy for high-value connections.

    13. Click Done.

  5. Define an authentication policy for low-value connections.

    1. Click Add Policy.

    2. Enter a name for the policy, such as Low-value connections.

    3. From the Policy list, select the instance of the Session Authentication Selector. For more information, see step 2.

    4. For the single sign-on (SSO) policy path, select the HTML Form Adapter instance.

    5. For the HTML Form Adapter instance → Fail policy path, select Done.

    6. For the HTML Form Adapter instance → Success policy path, select the authentication policy contract.

    7. Complete the contract mapping for the authentication policy contract.

    8. For the Mutual TLS and MFA policy path, select the X.509 Adapter instance.

    9. For the X.509 Adapter instance → Success policy path, select the PingID Adapter instance.

    10. Below the PingID Adapter instance, click Options. Select the X.509 Adapter instance as the source and username as the attribute on theIncoming User ID window.

      This step only applies to adapters that support a user identifier to be passed in from an earlier authentication source. The PingID Adapter requires this user identifier. For more information, see Specifying incoming user IDs.

    11. For the X.509 Adapter instance → Success → PingID Adapter instance → Fail policy path, select Done.

    12. For the X.509 Adapter instance → Success → PingID Adapter instance → Success policy path, select the authentication policy contract.

    13. Complete the contract mapping for the authentication policy contract.

      Example:

      The following illustrates the policy created for low-value connections.

      A screen capture illustrating the sample policy for connections related to office maintenance.
    14. Click Done.

    15. To activate authentication polices for identity provider (IdP) browser SSO requests, adapter-to-adapter requests, and browser-based OAuth authorization code and implicit flows, select the IdP Authentication Policies check box.

      Example:

      The following screen capture illustrates the policies created this sample use case.

      A screen capture illustrating the policies created for this sample use case.

  6. To keep the newly configured authentication policies, click Save.