SP authentication policies
Service provider (SP) authentication policies provide a means for you to impose authentication requirements on SP-initiated browser single sign-on (SSO) requests received at the /sp/startSSO.ping
endpoint.
When you enable this optional feature, you create policies that the PingFederate SP server can use to find the applicable SP adapter instance to access target applications. For this reason, you must configure the target applications to provide the SpSessionAuthnAdapterId
parameter or the TargetResource
parameter, or both, in their SP-initiated SSO requests.
If you prefer to provide the TargetResource
parameter without the SpSessionAuthnAdapterId
parameter, you must go to Applications → Integration → Target URL Mapping and configure entries to map the TargetResource
values to the applicable SP adapter instances.
SP authentication policies only apply to SP-initiated browser SSO requests received at the developers_reference_guide:pf_sp_services.adoc#spStartSsoPing SP application endpoint. They do not apply to unsolicited SSO requests received at the SP protocol endpoints. In addition, enabling SP authentication policies does not enable authentication policies for identity provider (IdP) browser SSO requests, adapter-to-adapter requests, and browser-based OAuth authorization code and implicit flows. |
For more information and configuration steps, see the subsequent sample use cases.