--- title: Configuring a sample use case description: Use the following sample setup to configure one of the common use cases where you have two categories of service providers (SPs). component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_config_sample_use_case canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_config_sample_use_case.html revdate: July 11, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: example-4: Example: --- # Configuring a sample use case Use the following sample setup to configure one of the common use cases where you have two categories of service providers (SPs). ## Before you begin For this sample use case, you must have the following components: * An authentication policy contract * Multiple SP connections. All connections use the same authentication policy contract as their sole authentication source * Instances of the required adapters * An instance of the Connection Set Authentication Selector to isolate high-value connections from the rest of the connections ## About this task The Session Authentication Selector lets PingFederate choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source. You need to enforce authentication requirements on two categories of service provider connections: * For high-value connections, users must authenticate using the X.509 Adapter followed by the PingID Adapter. * For low-value connections, users can authenticate using the HTML Form Adapter or the X.509 Adapter followed by the PingID Adapter. To fulfill this use case, follow these configuration steps. ## Steps 1. Go to **Authentication > Policies > Selectors**. 2. Create an instance of the Session Authentication Selector to account for authentication sessions acceptable for low-value connections. 1. Click **Create New Instance**. 2. On the **Type** tab, enter a name (for example, Sessions for low-value connections) and an ID. Then select **Session Authentication Selector** from the list. 3. On the **Authentication Selector** tab, leave the **Enable 'No Session' Result Value** checkbox clear; then configure the following authentication source-to-result value entries. | Authentication source (adapter instance name) | Result value (policy path label) | | --------------------------------------------- | -------------------------------- | | **HTML** | **SSO** | | **X.509** | **Mutual TLS and MFA** | ### Example: The following screen capture illustrates the setup. ![Create Authentication Selector Instance window](_images/gys1657563141838.png) 4. On the **Summary** tab, click **Done**. 5. On the **Manage Authentication Selector Instances** window, click **Save** to keep the newly configured authentication selector instance. 3. Go to **Authentication > Policies > Policies**. 4. On the **Policies** window, define an authentication policy for high-value connections. 1. Click **Add Policy**. 2. In the **Name** field, enter a name for the policy, such as `High-value connections`. 3. From the **Policy** list, select the instance of the Connect Set Authentication Selector that isolates high-value connections from the rest. 4. For the **No** policy path, select **Continue**. 5. For the **Yes** policy path, select the X.509 Adapter instance. 6. For the **X.509 Adapter instance > Fail** policy path, select **Done**. 7. For the **X.509 Adapter instance > Success** policy path, select the PingID Adapter instance. 8. Below the PingID Adapter instance, click **Options**. 9. On the **Incoming User ID** window, select the X.509 Adapter instance as the source and `username` as the attribute. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This step applies only to adapters that support a user identifier to be passed in from an earlier authentication source. The PingID Adapter requires this user identifier. For more information, see [Specifying incoming user IDs](pf_specify_incoming_user_ids.html). | 10. For the **X.509 Adapter instance > Success > PingID Adapter instance > Fail** policy path, select **Done**. 11. For the **X.509 Adapter instance > Success > PingID Adapter instance > Success** policy path, select the authentication policy contract. 12. Complete the contract mapping for the authentication policy contract. ### Example: The following illustrates the policy created for high-value connections. ![A screen capture illustrating a sample policy for high-value connections.](_images/kud1564003300168.png) 13. Click **Done**. 5. Define an authentication policy for low-value connections. 1. Click **Add Policy**. 2. Enter a name for the policy, such as Low-value connections. 3. From the **Policy** list, select the instance of the Session Authentication Selector. For more information, see [step 2](#step-2). 4. For the single sign-on (**SSO**) policy path, select the HTML Form Adapter instance. 5. For the **HTML Form Adapter instance > Fail** policy path, select **Done**. 6. For the **HTML Form Adapter instance > Success** policy path, select the authentication policy contract. 7. Complete the contract mapping for the authentication policy contract. 8. For the **Mutual TLS and MFA** policy path, select the X.509 Adapter instance. 9. For the **X.509 Adapter instance > Success** policy path, select the PingID Adapter instance. 10. Below the PingID Adapter instance, click **Options**. Select the X.509 Adapter instance as the source and `username` as the attribute on the**Incoming User ID** window. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This step only applies to adapters that support a user identifier to be passed in from an earlier authentication source. The PingID Adapter requires this user identifier. For more information, see [Specifying incoming user IDs](pf_specify_incoming_user_ids.html). | 11. For the **X.509 Adapter instance > Success > PingID Adapter instance > Fail** policy path, select **Done**. 12. For the **X.509 Adapter instance > Success > PingID Adapter instance > Success** policy path, select the authentication policy contract. 13. Complete the contract mapping for the authentication policy contract. ### Example: The following illustrates the policy created for low-value connections. ![A screen capture illustrating the sample policy for connections related to office maintenance.](_images/eso1564003300854.png) 14. Click **Done**. 15. To activate authentication polices for identity provider (IdP) browser SSO requests, adapter-to-adapter requests, and browser-based OAuth authorization code and implicit flows, select the **IdP Authentication Policies** checkbox. ### Example: The following screen capture illustrates the policies created this sample use case. ![A screen capture illustrating the policies created for this sample use case.](_images/dgd1564003301619.png) 6. To keep the newly configured authentication policies, click **Save**.