PingFederate Server

Policy fragments

You can manage policy fragments under Authentication > Policies > Fragments. You can create reusable policy fragments and apply them in multiple authentication policies.

Fragments make policies easier to administer. They allow you to extract common patterns that exist among different policies and to manage them in one place. For example, you can create a reusable policy fragment with policy components that you frequently use and apply that fragment in multiple policies. When the authentication requirements need adjustments, you can make those changes in the fragment without updating the policies that reference it.

Fragments can use other fragments. You can chain up to five fragments together and use as many fragments as you want throughout a policy, but the policy can’t be configured to have over five fragments being processed at one time.

On the Fragments page:

  • Click Add Fragment to define a policy fragment.

  • Click the name of an existing fragment to edit its configuration.

  • Click Select Action to copy or delete an existing fragment.

Defining policy fragments

Before you begin

Make sure that you have configured at least two policy contracts to function as input and output contracts. Learn more in Policy contracts.

Steps

  1. In the Name field, type a name for the policy fragment.

  2. (Optional) Change the identifier for the fragment. This ID will be used to reference input and output attributes in the advanced Expressions fulfillment option. It can’t be changed after the fragment has been created.

  3. (Optional) Type a description for the fragment.

  4. (Optional) In the Inputs list, select the input authentication policy contract that calling members will need to fulfill. The attributes contained in the contract are available for use throughout the policy.

    Incoming user ID mapping is restricted to fragments with an input contract.

  5. (Optional) From the Outputs list, select the output authentication policy contract that this fragment will fulfill. Calling members can use the values of the attributes contained in the output policy contract.

  6. In the Policy list, select an IdP adapter, an IdP connection, a selector, or a fragment.

    You can select Fragments as the policy action and then select a policy fragment that you have created. When you select a fragment, click Fragment Mapping and use the in-product help links to access the topics that describe how to configure the mapping.

    1. Click Options and select the source and the attribute to be used as the incoming user ID.

    2. Click Rules and define authentication policy rules using attributes from the previous authentication source or from an earlier step in the policy.

    3. Configure Fail and Success paths. For a fragment to succeed, you must map it into a LIP or APC based on the output contract. You can also use a fragment in a calling policy and set both of the fragment’s exit Fail/Success nodes to Done.

      The Copy and Paste feature lets you copy a policy path and paste it into another place in the same policy, another policy, or a policy fragment. After you copy and paste a path, follow the on-screen instructions to correct any errors.

      One benefit of this feature is that you can easily add a new step at the start or middle of an existing policy. To do that, copy and then remove the existing path below the point where you will define the new step. After you define the new step, paste the copied path back into the policy below the new step.

  7. Click Save.