Configuring multiple access mode
Enter these setting in PingFederate to configure multiple access mode.
Before you begin
Multiple access mode is supported from the following software versions:
-
PingFederate 9.2 or later
-
PingID Integration Kit 2.6 (PingID Adapter 2.5)
Steps
-
Configure PingFederate to determine whether the accessing device is organization-owned, and whether it is a private or shared device. Choose from the following methods to obtain this information.
Choose from:
-
Reference the source IP address. For more information, see Configure the CIDR Authentication Selector.
-
Inspect the global HTTP header. For more information, see Configure the HTTP Header Authentication Selector.
-
Information returned by a mobile device management (MDM) system. Refer to the documentation for the following MDM Integration Kits available for PingFederate:
-
MobileIron: Configuring MobileIron for PingID MDM integration
-
Workspace ONE UEM (formerly known as AirWatch): Configuring Workspace ONE UEM for PingID MDM integration
-
Inspect the distinguished name (DN) of the accessing device.
-
-
Configure multiple access mode.
-
Download the PingID properties file. For more information, see Managing the PingID properties file for PingFederate.
-
Create an HTML form adapter instance. Refer to HTML Form Adapter and Configure an HTML Form Adapter instance in the PingFederate admin guide. Make sure that:
-
Session State is set to None.
-
Enable 'This is my device' box is selected.
-
-
Configure authentication sessions for the HTML Form Adapter. For more information, see Configure authentication sessions.
-
Create a PingID adapter instance. For more information, see Configuring a PingFederate policy for secondary authentication. Make sure that:
-
Type is set to PingID Adapter 2.5 or later, to support multiple access mode.
The multiple access mode capability requires PingFederate Authentication Policies rather than the Composite adapter:
-
Create an Authentication Policy Contract (APC). For more information, see Policy contracts.
-
Create an authentication policy for the PingID adapter. For more information, see Policies.
-
-
-
Result
The following table summarizes the main flows, based on the attributes of the accessing device. These attributes are assessed to determine the use case, and whether the device is organization-owned, single or multi-user, or whether these attributes are unknown:
Accessing device attributes | Process flow | |||
---|---|---|---|---|
Use case scenario |
Organization-owned device |
Single/Multiple user device |
HTML login form presents 'This is my device' checkbox |
Session information saved |
|
Yes |
Single user |
No |
Yes |
|
Yes |
Multiple users |
No |
No |
These devices may also be either organization-owned privately owned. Since PingFederate cannot determine whether the access device is private or shared, the user is prompted at login to indicate the device status. |
In this use case, the behavior is identical regardless of whether or not the access device is organization-owned. |
Unknown whether single or multiple user device, when PingFederate presents the HTML login form |
Yes |
Depends on the user’s response:
|