--- title: Defining issuance criteria for IdP Browser SSO description: Configure the criteria that PingFederate uses to determine user authorization to access service provider (SP) resources. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_defining_issuance_criteria_idp_browser_sso canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_defining_issuance_criteria_idp_browser_sso.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 8, 2024 section_ids: about-this-task: About this task steps: Steps related-links: Related links --- # Defining issuance criteria for IdP Browser SSO Configure the criteria that PingFederate uses to determine user authorization to access service provider (SP) resources. ## About this task On the **Issuance Criteria** tab, define the criteria that must be satisfied in order for PingFederate to process a request further. This token authorization feature provides the capability to conditionally approve or reject requests based on individual attributes. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Issuance Criteria** tab does not appear if you have chosen the failsafe option on the **Mapping Method** tab. For more information, see [Selecting an attribute mapping method](pf_selecting_attribute_mapping_method.html). | Begin this optional configuration by adding a criterion. Choose the source that contains the attribute to be verified. Some sources, such as **Mapped Attributes**, are common to almost all use cases. Other sources, such as **JDBC**, depend on the type of configuration. Irrelevant sources are automatically hidden. After you select a source, choose the attribute to be verified. Depending on the selected source, the available attributes or properties vary. Finally, specify the comparison method and the desired, compared-to, value. If you define multiple criteria, all criteria must be satisfied for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches or does not match the specified value depending on the chosen comparison method. The multi-value contains and multi-value does not contain comparison methods are intended for attributes that might contain multiple values. Such criterion is considered satisfied if one of the multiple values matches or does not match the specified value. Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When you multiplex one connection for multiple environments, consider using attribute mapping expressions to verify the virtual server ID in conjunction with other conditions, such as group membership information, to protect against unauthorized access. For more information, see [Multiple virtual server IDs](../introduction_to_pingfederate/virtual_server_id.html) and [Issuance criteria and multiple virtual server IDs](pf_issuance_criteria_multi_virtual_serverids.html). | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | All criteria defined must be satisfied or evaluated as true for a request to move forward. As soon as one criterion fails, PingFederate rejects the request and returns an error message. | ## Steps | Source | Description | | --------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Adapter** or **Authentication Policy Contract** | Select to evaluate attributes from an identity provider (IdP) adapter instance or an authentication policy contract. | | **Context** | Select to evaluate properties returned from the context of the transaction at runtime. The HTTP Request context value is retrieved as a Java object rather than text. For this reason, attribute mapping expressions are more appropriate to evaluate and return values. | | **JDBC**, **LDAP**, or other types of datastore (if configured) | Select to evaluate attributes returned from a data source. | | **Mapped Attributes** | Select to evaluate the mapped attributes. | 1. In the **Attribute Name** list, select the attribute to be evaluated. Available methods: * **equal to** * **equal to (case insensitive)** * **equal to DN** * **not equal to** * **not equal to (case insensitive)** * **not equal to DN** * **multi-value contains** * **multi-value contains (case insensitive)** * **multi-value contains DN** * **multi-value does not contain** * **multi-value does not contain (case insensitive)** * **multi-value does not contain DN** | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The first six conditions are intended for single-value attributes. Use one of the **multi-value …​** conditions for PingFederate to validate whether one of the attribute values matches the specified value. When an attribute has multiple values, using a single-value condition causes the criteria to fail. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. For more information, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). | Error results are handled differently for IdP-initiated single sign-on (SSO) and SP-initiated SSO requests. * IdP-initiated SSO * Redirect When an `InErrorResource` URL is provided, the value of the **Error Result** field is used by an `ErrorDetail` query parameter in the redirect URL. * Template When an `InErrorResource` URL is not provided, the value of the **Error Result** field is used by the variable *$errorDetail* in the `idp.sso.error.page.template.html` template file. * SP-Intiated SSO * SAML The **Error Result** field value is used by the `StatusMessage` element in the response to the SP. * WS-Federation (Template) The **Error Result** field value is used by the *$errorDetail* variable in the `/pingfederate/server/default/conf/template/sourceid-wsfed-idp-exception-template.html` template file. Using an error code in the **Error Result** field allows the error template or an application to process the code in a variety of ways. For example, the template or application can display an error message or e-mail an administrator. 1. To use localized descriptions, enter a unique alias in the **Error Result** field, such as `someIssuanceCriterionFailed`. Insert the same alias with the desired localized text in the applicable language resource files, located in the `/pingfederate/server/default/conf/language-packs` directory.\ If not defined, PingFederate returns `ACCESS_DENIED` when the criterion fails at runtime. 2. Click **Add**. 3. (Optional) Repeat to add more criteria. 4. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. For more information, see [Attribute mapping expressions](pf_attribute_mapping_expressions.html). 1. Click **Show Advanced Criteria**. 2. In the **Expression** field, enter the required expressions. 3. In the **Error Result** field, enter an error code or message. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------- | | | If the expressions resolve to a string value instead of `true` or `false`, the returned value overrides the **Error Result** field value. | 1. Click **Add**. 2. Click **Test**, enter values in the applicable fields, and verify the results. 3. Repeat to add multiple criteria using attribute mapping expressions. ## Related links