Configuring a PingFederate policy for secondary authentication
PingID can serve as the secondary authentication source for PingFederate.
Before you begin
Before configuring PingID for secondary authentication:
-
If an identity provider (IdP) adapter for primary authentication has not already been created, create one. For more information, see Configure an IdP adapter instance.
-
If you want to configure the application name or application icon, do so in PingFederate. See Identifying the target application.
If you want to implement a FIDO passwordless authentication flow, see (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics.
About this task
After you have created the relevant IdP and PingID adapters, create a PingFederate policy contract, and then create a PingFederate policy for secondary authentication.
If you are running PingFederate 9.0 or earlier, you’ll need to create a composite adapter rather than a PingFederate policy. See Configuring a composite adapter. |
Steps
-
In PingFederate, create an Authentication Policy Contract.
For more information, see Manage policy contracts.
-
Go to Authentication → Policies → Policy Contracts.
-
Click Create New Contract.
-
In the Contract Name field, enter a name for the policy contract, and then click Next.
-
On the Contract Attributes tab, for each attribute you want to add, type the name of the attribute and then click Add.
For a list of PingID attributes, see PingID authentication attributes.
-
To advance to the Summary tab and to review the contract, click Next. Click Save.
-
-
Create a PingFederate authentication policy.
For more information, see Policies.
-
Go to Authentication → Policies → Policies.
-
Select the IdP Authentication Policies box, and then click Add Policy.
-
In the Name field, enter a meaningful name for the authentication policy.
-
From the Policy dropdown, select IdP Adapters, and then select your IdP Adapter from the list (for example, the HTML Form Adapter).
Result:
The IdP Adapter is added to the PingFederate policy tree.
-
In this new branch, perform the following.
-
From the Fail list, select Done.
-
From the Success list, select IdP Adapters, and then select your PingID Adapter instance.
Result:
A new PingID Adapter branch is created under the Success list.
-
-
Under the PingID Adapter branch field, click Options, and in the Incoming User ID window, perform the following.
-
From the Source list, select the IdP adapter.
-
From the Attribute list, select username.
-
Select the User ID Authenticated check box.
-
To close the window, click Done.
-
-
In the new PingID Adapter branch, perform the following.
-
From the Fail list, select Done.
-
From the Success list, select Policy Contract, and then select the policy contract you created earlier.
-
-
Under the PingID Adapter Success field, click Contract Mapping.
-
Complete the relevant contract mapping.
For more information on contract mapping, see Configuring contract mapping. For a list of attributes that can be used upon successful authentication with PingID, see PingID authentication attributes.
-
To enable the policy, select the check box, and then click Save.
Result:
You return to the Policy window.
-
Click Done.
-
-
Add any further configurations, for example:
Choose from:
-
Configure Browser SSO. For more information, see Configure IdP Browser SSO.
-
Configure OAuth settings. For more information, see OAuth configuration.
-