The Extended Property Authentication Selector enables PingFederate to choose configured authentication sources or other
selectors based on a match found between a selector result value and an extended property
value from the invoking browser-based SSO connections or OAuth client.
-
Go to to open the Selectors
window.
-
On the Selectors window, click
Create New Instance to start the Create
Authentication Selector Instance workflow.
-
On the Type tab, configure the basics of this authentication
selector instance.
-
On the Authentication Selector tab, select a property from
the Extended Property list.
Note:
The extended property is the property that this selector instance should look
for from the invoking connection or client, and compare the populated property
value, or values if it is a multivalued extended property, against the selector
result values defined in this selector instance.
-
On the Selector Result Values tab, specify one or more
expected result values.
-
Enter the exact, case-sensitive, value under Result
Values and click Add.
- Optional:
Add more values to differentiate criteria for authentication selection.
Display order might matter.
Expected result values are always sorted alphabetically in ascending order
here.
When you place this selector instance as a checkpoint in an authentication
policy, each selector result value forms a policy path. The display order of
the resulting policy paths matches the display order here, which may impact
the policy outcome. When the policy engine reaches this selector instance,
the selector starts from top to bottom. As soon as it finds a match, it
exits and returns true. The matching mechanism varies, depending on the type
of the extended property selected in step 4.
- Matching mechanism for single-value extended properties
- The selector compares the property value populated in the invoking
connection or client against the configured selector result value.
When multiple selector result values exist, the selector starts from
the top. If the current selector result value is a case-sensitive
exact match, it returns true and exits. Otherwise, it moves on to the
next selector result value and tries again.
- For example, assume this selector instance, named ExtProps, is
configured with expected result values of
Alpha
,
Bravo
, and Charlie
. The invoking
connection is populated with an extended property value of
Bravo
, and this selector instance is placed as a
checkpoint in an authentication policy as follows.
-
ExtProps
+--Alpha
| <policy path>
|
+--Bravo
| <policy path>
|
+--Charlie
<policy path>
- Given this setup, the selector returns true and exits when it reaches
the second selector result value. The policy engine regains control of
the request and proceeds with the policy path configured for the
selector result value of
Bravo
.
- Matching mechanism for multivalued extended properties
- The selector compares the property values populated in the invoking
connection or client against the configured selector result value. If
any one of the property values from the invoking connection or client
is a case-sensitive exact match, the selector returns true and exits.
When multiple selector result values exist, the selector starts from
the top. If the current selector result value is a case-sensitive
exact match to any one of the property values from the invoking
connection or client, it returns true and exits. Otherwise, it moves
on to the next selector result value and tries again.
- For example, assume the previous selector instance remains. The
invoking connection is populated with extended property values of
Alpha
and Charlie
, and this
selector instance remains as a checkpoint in an authentication
policy.
- In this scenario, the selector returns true and exits when it reaches
the first selector result value. The policy engine regains control of
the request and proceeds with the policy path configured for the
selector result value of
Alpha
. Even though
Charlie
, the expected selector result value, is
also a case-sensitive exact match to Charlie
, one of
the property values from the invoking connection, because the selector
has already exited and returned control to the policy engine when it
reaches Alpha
, the policy engine will never execute
the policy path configured for the selector result value of
Charlie
.
Use the Edit, Update, and
Cancel workflow to make or undo a change to
an existing entry. Click Delete to remove an
entry.
-
Complete the configuration.
-
On the Summary tab, click
Done.
-
On the Selectors window,
click Save.
Example
- Go to .
- On the Extended Propertieswindow, define a multivalued extended
property, and name it configStatus.
- Create an SP connection with the following characteristics:
- On the Extended Properties window, add two values for the
configStatus extended property:
DEV
and TEST
.
- On the Attribute Source Mapping window, map an
authentication policy contract to the service provider (SP) connection. The
policy contract name is
APC
.
- Create an instance of the Extended Property Authentication Selector with the
following characteristics:
- On the Type tab, name the selector instance
ExProps
.
- On the Authentication Selector tab, select
configStatus from the list.
- On the Selector Result Values tab, enter
DEV
and TEST
.
- Create and activate the following identity provider (IdP) authentication policy.
ExtProps
+--DEV
| OpenToken
| +--Fail: Done
| +--Success: APC
|
+--TEST
HTML
+--Fail: Done
+--Success: APC
Configure each APC
to fulfill values obtained from its preceding
adapter instance.
When processing SSO requests intended for this SP connection, because the policy engine
is able to match one of the populated property values, DEV
, from the SP
connection to the first selector result value, also DEV
, it will always
invoke the OpenToken IdP Adapter instance based on the DEV
policy path.
The TEST
policy path is never executed for this SP connection.
On the other hand, if you remove DEV
, an extended property value, from
the SP connection, the policy engine will route SSO requests intended for this SP
connection to the HTML Form Adapter instance based on the TEST
policy
path. The DEV
policy path is never executed for this SP connection.