Configuring a PingFederate policy for secondary authentication
PingID can serve as the secondary authentication source for PingFederate.
Before you begin
Before configuring PingID for secondary authentication:
-
If an identity provider (IdP) adapter for primary authentication wasn’t created yet, create one. Learn more in Configure an IdP adapter instance.
-
If you want to configure the application name or application icon, do so in PingFederate. Learn more in Identify the target application.
Using a username and multi-factor authorization (MFA) method as your primary authentication method can expose users to security risks like username enumeration, MFA fatigue attacks, targeted phishing, and denial-of-service incidents. To reduce exposure use a passwordless method such as FIDO2 biometrics for primary authentication.
Learn how to implement a FIDO2 passwordless authentication flow in Configuring a PingFederate policy for passwordless authentication with FIDO2 passkeys. Learn how to implement a passwordless flow using legacy methods in (Legacy) Configuring a PingFederate policy for passwordless authentication with FIDO biometrics.
About this task
After creating the relevant IdP and PingID adapters, create a PingFederate policy contract, and then create a PingFederate policy for secondary authentication.
|
If you’re running PingFederate 9.0 or earlier, you’ll need to create a composite adapter rather than a PingFederate policy. Learn more in Configuring a composite adapter. |
Steps
-
In PingFederate, create an Authentication Policy Contract.
Learn more in Managing policy contracts in the PingFederate documentation.
-
Go to Authentication > Policies > Policy Contracts.
-
Click Create New Contract.
-
In the Contract Name field, enter a name for the policy contract, and then click Next.
-
On the Contract Attributes tab, for each attribute you want to add, type the name of the attribute and then click Add.
You can find a list of PingID attributes in PingID authentication attributes.
-
To advance to the Summary tab and to review the contract, click Next. Click Save.
-
-
Create a PingFederate authentication policy.
Learn more in Policies in the PingFederate documentation.
-
Go to Authentication > Policies > Policies.
-
Select the IdP Authentication Policies box, and then click Add Policy.
-
In the Name field, enter a meaningful name for the authentication policy.
-
From the Policy dropdown, select IdP Adapters, and then select your IdP Adapter from the list (for example, the HTML Form Adapter).
Result:
The IdP Adapter is added to the PingFederate policy tree.
-
In this new branch, perform the following.
-
From the Fail list, select Done.
-
From the Success list, select IdP Adapters, and then select your PingID Adapter instance.
Result:
A new PingID Adapter branch is created under the Success list.
-
-
Under the PingID Adapter branch field, click Options, and in the Incoming User ID window, perform the following.
-
From the Source list, select the IdP adapter.
-
From the Attribute list, select username.
-
Select the User ID Authenticated checkbox.
-
To close the window, click Done.
-
-
In the new PingID Adapter branch, perform the following.
-
From the Fail list, select Done.
-
From the Success list, select Policy Contract, and then select the policy contract you created earlier.
-
-
Under the PingID Adapter Success field, click Contract Mapping.
-
Complete the relevant contract mapping.
Learn more about contract mapping in Configuring contract mapping in the PingFederate documentation. You can find a list of attributes that you can use upon successful authentication with PingID in PingID authentication attributes.
-
To enable the policy, select the checkbox, and then click Save.
Result:
You return to the Policy window.
-
Click Done.
-
-
Add any further configurations, for example:
Choose from:
-
Configure Browser single sign-on (SSO). Learn more in Configure IdP Browser SSO in the PingFederate documentation.
-
Configure OAuth settings. Learn more in OAuth configuration.
-