Configuring an Identifier First Adapter instance to determine user populations - PingFederate - 10.2

PingFederate Server
bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

Configure an Identifier First Adapter instance using the sample use case provided to determine user populations based on user identifiers, usernames, and an authentication policy to route sign-on requests to authentication sources tailored for their respective user populations.

This task and sample use case involves the following configurations using the administrative console:

  • An expression-enabled environment. See step 1.
  • An authentication policy contract to carry the email address from your organization to your partners. See step 2.
  • A Java Database Connectivity (JDBC) datastore connecting to the database that hosts username, email, and domain information. See step 4.
  • An Identifier First Adapter instance with an attribute source lookup configuration and a contract fulfillment through expressions for the domain adapter attribute. See step 7.
  • An authentication policy to route user requests to different authentication sources based on user populations. See step 9.

To configure a policy for multiple user populations:

  1. Enable expressions in .

    For configuration steps, see Enabling and disabling expressions.

  2. Go to Authentication > Policies > Policy Contracts.
  3. To create an authentication policy contract without any additional attributes, click Create New Contract.
  4. Go to System > Data & Credential Stores > Data Stores and click Add New Data Store.
  5. In the Data Stores page, click Add New Data Store.
  6. On the Data Store Type tab:
    1. In the Name field, enter a name.
    2. To create a JDBC datastore connection to the database that hosts username and domain information, in the Type list, select Database (JDBC).
  7. Create an instance of the Identifier First Adapter instance:
    1. Follow steps 1 through 6 in Configuring an Identifier First Adapter instance.

      For this sample use case, name the adapter instance ID 1st.

  8. Go to Applications > Integration > Adapter-to-Adapter Mappings.
    1. In the Source Instance and Target Instance lists, select appropriate adapters and click Add Mapping.
    2. On the Attribute Sources & User Lookup tab, click Add Attribute Source.
      Note:

      For more information about configuring the following steps, see Datastore query configuration.

      1. On the Data Store tab, enter an ID in the Attribute Source ID field and a name in Attribute Source Description, such as domainInfo and Domain Info, respectively.
      2. In the Active Data Store list, select the JDBC datastore that you created previously. Click Next.
      3. On the Database Table and Columns tab, select the applicable options in the Schema and Table lists.
      4. In the Columns to return from Select list, select dsDomain, and click Add Attribute. Click Next.
      5. On the Database Filter tab, in the Where field, specify a filter to search by an identifier that can handle identifiers in the format of an email address or a username, such as dsUid='${subject}' OR dsMail='${subject}'. Click Next.
      6. On the Summary tab, click Done.
    3. Go to the Adapter Contract Fulfillment tab and configure the following.
      SP Adapter Contract Source Value

      domain

      Expression

      		 
      
#this.get("domain").toString().matches("(?i).+") ? 
#this.get("domain") : 
#this.get("ds.domainInfo.dsDomain")
      Note:

      Line breaks are inserted for readability only.

      subject

      Adapter

      Not applicable. No selection is required.

      The expression checks the domain attribute value returned by the Identifier First Adapter. If the value contains one or more characters, uses that as the value for the domain attribute. Otherwise, it uses the dsDomain column value returned from the JDBC datastore. In other words, this expression handles identifiers in the format of an email address or a username.

      Note:

      This sample expression is intended to demonstrate the capability of the Identifier First Adapter. Depending on the actual use cases, expressions might vary.

      For more information about expressions, see Construct OGNL expressions.

    4. Click Next.
    5. On the Issuance Criteria tab, click Next.
      Note:

      Depending on the actual use case, you can add issuance criteria as needed.

    6. On the Adapter-to-Adapter Summary tab, review your configuration instance and click Save to save your changes and exit the adapter instance configuration.
  9. Create an authentication policy with rules to form policy paths based on results from domain attribute values returned by the Identifier First Adapter:
    1. Go to Authentication > Policies > Policies.
    2. On the Policies tab, click Add Policy.
    3. In the Policy page, enter a Name, and optionally a Description for the policy.
    4. In the Policy section list, select the Identifier First Adapter instance created in step 7.
    5. Click Rules to open the Rules modal.
      1. Add three policy rules as follows.
        Attribute Name Condition Value Result

        domain

        equal to

        example.com

        Example COM

        domain

        equal to

        example.org

        Example ORG

        domain

        equal to

        example.info

        Example INFO
        Note:

        Add one rule for each expected domain attribute value.

      2. Clear the Default to Success check box to disable the option to specify a policy path for the scenario where the domain attribute value from the Identifier First Adapter instance doesn't match any configured value on the Rules modal.

        If you want to enable an authentication policy path for unexpected domain attribute values, leave the Default to Success check box selected.

        For more information about rules, see Configuring rules in authentication policies.

      3. Click Done to close the Rules modal.

        By adding three policy rules and disabling the Default to Success option, the Identifier First Adapter instance policy configuration should contain four policy paths: Fail, Example COM, Example ORG, and Example INFO.

    6. Click Options to open the Incoming User ID modal.
      1. In the Source list, select Adapter (ID 1st).
      2. In the Attribute list, select subject.
      3. Click Done to close the Incoming User ID modal.

      For more information, see Specifying incoming user IDs.

    7. Configure the four policy paths as follows:
      Fail
      Click Done, which terminates the request in an error condition.
      Example COM
      Select the HTML Form Adapter instance, which contains two paths: Fail and Success.
      Configure each policy path as follows:
      Fail
      Click Done, which terminates the request in an error condition.
      Success
      In the list, select the policy contract created in step 2.
      Example ORG (and then Example INFO)
      Select the OpenToken IdP Adapter instance, which contains two paths: Fail and Success.
      Configure each policy path by using the same steps documented for the Example COM policy path.
    8. In the Success section, click Contract Mapping to open the Authentication Policy Contract Mapping window.
      1. Go to the Contract Fulfillment tab to configure the contract fulfillment for each authentication policy contract as follows.
      Result from rules Adapter Contract Source Value

      Example COM

      subject

      Adapter (htmlForm)

      mail

      Example ORG

      subject

      Adapter (openTokenIdp)

      mail

      Example INFO

      subject

      Adapter (openTokenIdp)

      mail

      For more information, see Configuring contract mapping.

    9. Click Done. Click Save.

You have successfully configured an Identifier First Adapter instance and an authentication policy to prompt the user for their identifier first, determine their user population, and route the request to the desired authentication policy path.