PingFederate Server

SP authentication policies

Service provider (SP) authentication policies provide a means for you to impose authentication requirements on SP-initiated browser single sign-on (SSO) requests received at the /sp/startSSO.ping endpoint.

When you enable this optional feature, you create policies that the PingFederate SP server can use to find the applicable SP adapter instance to access target applications. For this reason, you must configure the target applications to provide the SpSessionAuthnAdapterId parameter or the TargetResource parameter, or both, in their SP-initiated SSO requests.

If you prefer to provide the TargetResource parameter without the SpSessionAuthnAdapterId parameter, you must go to Applications → Integration → Target URL Mapping and configure entries to map the TargetResource values to the applicable SP adapter instances.

SP authentication policies only apply to SP-initiated browser SSO requests received at the #spStartSsoPing SP application endpoint. They do not apply to unsolicited SSO requests received at the SP protocol endpoints.

In addition, enabling SP authentication policies does not enable authentication policies for identity provider (IdP) browser SSO requests, adapter-to-adapter requests, and browser-based OAuth authorization code and implicit flows.

For more information and configuration steps, see the subsequent sample use cases.