PingFederate Server

Managing authentication applications

You can create and manage authentication applications that use the authentication API.

About this task

Authentication applications display user interfaces to collect credentials when authentication is completed through the PingFederate authentication API. The default authentication application is used for authentication sources that support the authentication API functionality and are invoked directly, rather than as part of an authentication policy.

Steps

  1. To manage authentication applications, go to Authentication → Integration → Authentication API Applications. Screenshot of the Authentication API Applications window

  2. To toggle the availability of authentication API support, select or clear the Enable Authentication API check box.

    The Enable API Explorer, Restrict Access to Redirectless Mode, and Include Request Context in API Responses check boxes are applicable and shown if the Enable Authentication API check box is selected.

    Option Description

    Enable API Explorer

    PingFederate includes an API Explorer that allows you to view the states, actions, and models available for the various API-­capable adapters and selectors included in your PingFederate environment.

    The endpoint for the Authentication API Explorer is /pf-ws/authn/explorer. For more information, see Exploring the authentication API.

    This check box is enabled by default.

    Restrict Access to Redirectless Mode

    It is strongly recommended to enable the Restrict Access to Redirectless Mode setting. If it is not enabled, authentication applications can use a user’s existing session to obtain tokens for any public client defined in the deployment, that is any client with no authentication method defined.

    Enabling Restrict Access to Redirectless Mode ensures that authentication applications can only obtain tokens for the client specified in the application’s settings. When you enable this setting, make sure to update authentication applications that use redirectless mode and specify the client that they are allowed to use.

    For more information on how to allow highly-trusted authentication applications to employ the PingFederate Authentication API, see Configuring authentication applications.

    Restrict Access to Redirectless Mode is enabled by default.

    Include Request Context in API Responses

    To pass single sign-on (SSO) request context parameters and tracked parameters to authentication applications, select the Include Request Context in API Responses check box.

    Enabling this feature allows authentication API clients to use the context of SSO requests to make decisions and change branding. When enabled, the authentication API response includes the requestContext parameter of type Map. The following parameters are included when they are relevant to the SSO transaction:

    pluginId

    The ID of the identity provider (IdP) adapter or the authentication selector

    entityId

    The ID of the service provider (SP) connection used in the SSO transaction

    applicationName

    The name of the SP connection or OAuth client used in the SSO transaction

    client_id

    The ID of the OAuth client used in the SSO transaction

    spAdapterId

    The ID of the SP adapter used in the SSO transaction

    oidcUiLocales

    The OIDC ui_locales

    trackedHttpParams

    An array of the tracked HTTP parameters passed when processing authentication policies

    extendedProperties

    Passes defined extended properties to all applicable velocity templates and as a request context parameter in the authentication API

    Except for tracked HTTP parameters, these parameters do not include sensitive information. Whether tracked HTTP parameters include sensitive information depends on which parameters you choose to track in policies. For information about configuring tracked HTTP parameters, see Defining authentication policies.

  3. In the Default Authentication Application section, perform any of the following actions.

    Option Action

    Default Authentication Application

    Select an application from the list to designate as the default authentication application.

    Check Usage

    Click to open a pop-up window listing the configurations in which the authentication is used.

    This is only available for the default authentication application.

    Add Authentication Application

    Click to add a new authentication application. See Configuring authentication applications.

    Delete

    Click to remove an authentication application.

  4. Click Save.