PingID Administration Guide

Configuring LDAP group behavior in RADIUS Server

About this task

You can use groups for a number of administrative purposes, for example:

  • Defining and restricting who can sign on to PingFederate.

  • Gradually introducing PingID multi-factor authentication (MFA) into your organization.

  • Creating user groups that are exempt from PingID MFA.

Steps

  1. Add an LDAP user group.

    Option Steps

    Add an LDAP user group that will require members to authenticate using PingID MFA

    1. In the LDAP Group Name section, click Add a new row to ‘Member of Groups’.

    2. Enter the CN value of the relevant LDAP group name, and click Update.

    Do not enter the full DN. For example, if the full DN is DN=CN=Android Users,OU=PingGroups,DC=intheory,DC=com, enter only the CN value of Android Users.

    1. Repeat the previous steps for all relevant LDAP groups.

      If no groups are defined in the RADIUS Server, group configuration is disregarded during authentication, even if the Check Groups option is enabled.

    Add an LDAP group for users that you want to bypass MFA

    1. In the LDAP Group Name for Bypass section, click Add a new row to ‘Bypass Member of Groups’.

    2. Enter the relevant LDAP group name’s CN, then click Update.

    3. Repeat the previous steps for all relevant LDAP groups.

    Users included in a Bypass MFA LDAP group will not be prompted to authenticate using PingID, even if they are included in an LDAP group, or the company policy requires MFA.

  2. Configure the groups by enabling or disabling the following options:

    • Check Groups (cleared by default): If selected, MFA is only performed if the user is a member of one of the groups defined in the Member of Groups section. If cleared, group configuration is ignored during authentication.

    • Check Bypass Groups (cleared by default): If selected, MFA is bypassed if the user is a member of one of the defined groups in the Member of Bypass Groups section. If cleared, Bypass groups are ignored, and the user is required to authenticate.

    • Fail Login if the User is Not Member of the LDAP Group: If selected, users that are not LDAP group members cannot sign on. LDAP group members are always authenticated using PingID MFA. If cleared, only users that are members of a specified group are authenticated using PingID MFA. All other users are validated using LDAP authentication only.