PingFederate Server

Defining issuance criteria for processor policy grant mapping

Individual attributes within policy contracts can further determine whether PingFederate approves or rejects requests. You can define those criteria to satisfy, or you can choose to skip this configuration.

About this task

On the Issuance Criteria tab, define the criteria to satisfy for PingFederate to process a request further. Use this token authorization feature to approve or reject requests conditionally based on individual attributes.

Begin this optional configuration by choosing the source that contains the attributes to verify. Some sources, such as Mapped Attributes, are common to almost all use cases. Other sources depend on the type of configuration, such as JDBC. Irrelevant sources are hidden automatically.

After you select a source, choose the attribute to verify. Depending on the selected source, the available attributes or properties vary. Specify the comparison condition and the desired value to compare to.

You can define multiple criteria, which must all be satisfied for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches or does not match the specified value, depending on the chosen comparison method.

The multi-value contains…​ or multi-value does not contain…​ comparison methods are intended for attributes that can contain multiple values. Such a criterion is considered satisfied is one or the multiple values match or does not match the specified value. Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.

All criteria defined must be satisfied or evaluated as true for a request to move forward, regardless of how the criteria were defined. As soon as one criterion fails, PingFederate rejects the request and returns an error message.

Steps

  1. Depending on the selection, the Attribute Name list populates with the associated attributes. Refer to the following table for more information:

    Source Description

    Processor Policy

    Select to evaluate attributes from the processor policy.

    Context

    Select to evaluate properties returned from the context of the transaction at runtime.

    Because the HTTP Request context value is retrieved as a Java object instead of text, attribute mapping expressions are more appropriate for evaluating and returning values.

    Extended Properties

    Select to evaluate OAuth client metadata.

    JDBC, LDAP, or other types of datastore (if configured)

    Select to evaluate attributes returned from a data source.

    Mapped Attributes

    Select to evaluate the mapped attributes.

  2. In the Attribute Name list, select the attribute to be evaluated.

    Available methods:

    • equal to

    • equal to (case insensitive)

    • equal to DN

    • not equal to

    • not equal to (case insensitive)

    • not equal to DN

    • multi-value contains

    • multi-value contains (case insensitive)

    • multi value contains DN

    • multi-value does not contain

    • multi-value does contain (case insensitive)

    • multi-value does not contain DN

      The first six conditions are intended for single-value attributes. Use one of the multi-value…​ conditions for PingFederate to validate whether one of the attribute values matches the specified value. When an attribute has multiple values, using a single-value condition causes the criteria to fail.

      Values are compared verbatim. If you require complex value evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. Learn more in Attribute mapping expressions.

      The value of this field is used by the error_description protocol field. Using an error code in the Error Result field allows an application to process the code in several ways, such as displaying an error message or emailing an administrator.

  3. To use localized descriptions, enter a unique alias in the Error Result field, such as someIssuanceCriterionFailed. Insert the same alias with the desired localized text in the applicable language resource files, located in the <pf-install>/pingfederate/server/default/conf/language-packs directory.

    If not defined, PingFederate returns ACCESS_DENIED when the criterion fails at runtime.

  4. Click Add.

  5. Repeat as necessary to add more criteria.

  6. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.

    1. Click Show Advanced Criteria.

    2. In the Expression field, enter the required expressions.

    3. In the Error Result field, enter an error code or message.

      If the expressions resolve to a string value instead of true or false, the returned value overrides the Error Result field value.

    4. Click Add

    5. Click Test, enter values in the applicable fields, and verify the results.

    6. Repeat to add multiple criteria using mapping expressions.

  7. Click Next.