PingID Administration Guide

Configuring a PingFederate policy for secondary authentication

PingID can serve as the secondary authentication source for PingFederate.

Before you begin

Before configuring PingID for secondary authentication:

About this task

After you have created the relevant IdP and PingID adapters, create a PingFederate policy contract, and then create a PingFederate policy for secondary authentication.

If you are running PingFederate 9.0 or earlier, you’ll need to create a composite adapter rather than a PingFederate policy. See Configuring a composite adapter.

Steps

  1. In PingFederate, create an Authentication Policy Contract.

    For more information, see Manage policy contracts.

    1. Go to Authentication → Policies → Policy Contracts.

    2. Click Create New Contract.

    3. In the Contract Name field, enter a name for the policy contract, and then click Next.

    4. On the Contract Attributes tab, for each attribute you want to add, type the name of the attribute and then click Add.

      For a list of PingID attributes, see PingID authentication attributes.

    5. To advance to the Summary tab and to review the contract, click Next. Click Save.

  2. Create a PingFederate authentication policy.

    For more information, see Policies.

    1. Go to Authentication → Policies → Policies.

    2. Select the IdP Authentication Policies box, and then click Add Policy.

    3. In the Name field, enter a meaningful name for the authentication policy.

    4. From the Policy dropdown, select IdP Adapters, and then select your IdP Adapter from the list (for example, the HTML Form Adapter).

      Result:

      The IdP Adapter is added to the PingFederate policy tree.

    5. In this new branch, perform the following.

      • From the Fail list, select Done.

      • From the Success list, select IdP Adapters, and then select your PingID Adapter instance.

        Result:

        A new PingID Adapter branch is created under the Success list.

    6. Under the PingID Adapter branch field, click Options, and in the Incoming User ID window, perform the following.

      • From the Source list, select the IdP adapter.

      • From the Attribute list, select username.

      • Select the User ID Authenticated check box.

      • To close the window, click Done.

    7. In the new PingID Adapter branch, perform the following.

      • From the Fail list, select Done.

      • From the Success list, select Policy Contract, and then select the policy contract you created earlier.

    8. Under the PingID Adapter Success field, click Contract Mapping.

    9. Complete the relevant contract mapping.

      For more information on contract mapping, see Configuring contract mapping. For a list of attributes that can be used upon successful authentication with PingID, see PingID authentication attributes.

    10. To enable the policy, select the check box, and then click Save.

      Result:

      You return to the Policy window.

    11. Click Done.

  3. Add any further configurations, for example:

    Choose from: