Defining a request policy
You can define the basics of your client-initiated backchannel authentication (CIBA) request policy in the PingFederate administrative console.
Steps
-
Go to Applications → OAuth → CIBA Request Policies.
-
On the Manage Policy tab, define the basics of your CIBA request policy.
For more information about each field, refer to the following table.
Field Description Policy ID
(Required)
The unique identifier of this request policy.
Name
(Required)
The name of this request policy.
Authenticator
(Required)
The CIBA authenticator instance associated with this request policy.
User Code PCV
The Password Credential Validator (PCV) instance that PingFederate uses to validate the
user_code
parameter values it receives from clients associated with this request policy.If a client is associated with a request policy that has been configured with a PCV instance, it can support user code in its configuration.
A client supporting user code must not be associated with a request policy that is not configured with a PCV instance. For more information on CIBA client configuration, see Configuring OAuth clients.
Transaction Lifetime (Seconds)
The validity, in seconds, of authentication requests PingFederate receives from clients associated with this request policy since the generation of their authentication request acknowledgments.
The default value is
120
.Clients can request a shorter lifetime by including the
requested_expiry
request parameter in their authentication requests.Allow Unsigned Login Hint Token
Controls whether clients associated with this request policy can use unsigned JSON web tokens (JWT) as values of the
login_hint_token
request parameter in their authentication requests.This check box is not selected by default.
Require Token for Identity Hint
Controls whether clients associated with this request policy must use either the
id_token_hint
orlogin_hint_token
as the identity hint in their authentication requests.This check box is not selected by default.
When selected, clients associated with this request policy cannot use
login_hint
as the identity hint in their authentication requests.Alternative Login Hint Token Issuers
Alternative issuers that clients associated with this request policy can use in their signed login hint tokens. Furthermore, each additional issuer requires either the JWKS url or the actual JWKS so that PingFederate can verify the authenticity of the signed login hint tokens.
-
Click Next.