PingFederate Server

Defining a request policy

You can define the basics of your client-initiated backchannel authentication (CIBA) request policy in the PingFederate administrative console.

Steps

  1. Go to Applications → OAuth → CIBA Request Policies.

  2. On the Manage Policy tab, define the basics of your CIBA request policy.

    For more information about each field, refer to the following table.

    Field Description

    Policy ID

    (Required)

    The unique identifier of this request policy.

    Name

    (Required)

    The name of this request policy.

    Authenticator

    (Required)

    The CIBA authenticator instance associated with this request policy.

    User Code PCV

    The Password Credential Validator (PCV) instance that PingFederate uses to validate the user_code parameter values it receives from clients associated with this request policy.

    If a client is associated with a request policy that has been configured with a PCV instance, it can support user code in its configuration.

    A client supporting user code must not be associated with a request policy that is not configured with a PCV instance. For more information on CIBA client configuration, see Configuring OAuth clients.

    Transaction Lifetime (Seconds)

    The validity, in seconds, of authentication requests PingFederate receives from clients associated with this request policy since the generation of their authentication request acknowledgments.

    The default value is 120.

    Clients can request a shorter lifetime by including the requested_expiry request parameter in their authentication requests.

    Allow Unsigned Login Hint Token

    Controls whether clients associated with this request policy can use unsigned JSON web tokens (JWT) as values of the login_hint_token request parameter in their authentication requests.

    This check box is not selected by default.

    Require Token for Identity Hint

    Controls whether clients associated with this request policy must use either the id_token_hint or login_hint_token as the identity hint in their authentication requests.

    This check box is not selected by default.

    When selected, clients associated with this request policy cannot use login_hint as the identity hint in their authentication requests.

    Alternative Login Hint Token Issuers

    Alternative issuers that clients associated with this request policy can use in their signed login hint tokens. Furthermore, each additional issuer requires either the JWKS url or the actual JWKS so that PingFederate can verify the authenticity of the signed login hint tokens.

  3. Click Next.