The CIDR Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on the IP address of an incoming SSO request. Use this selector in one or more authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple HTML Form Adapter instances or between a Kerberos Adapter instance and an X.509 IdP Adapter instance. For example, use this selector in one or more authentication policies to route internal requests to a Kerberos Adapter instance.

  1. Click Identity Provider > Selectors to open the Manage Authentication Selector Instances screen.
  2. On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
  3. On the Type screen, configure the basics of this authentication selector instance.
  4. On the Authentication Selector screen, click Add a new row to 'Networks' and enter a network range. Then, click Update.
    Sample IPv4 network range
    Enter 192.168.101.0/24 to cover 256 IPv4 addresses, ranging from 192.168.101.0 through 192.168.101.255.
    Sample IPv6 network range
    Enter 2001:db8::/123 to cover 32 IPv6 addresses, ranging from 2001:db8:: through 2001:db8::1f.
  5. Optional: Repeat the previous step to add more network ranges.
    Display order does not matter.
    Tip:

    If you want to include all IPv4 addresses for testing, add two separate ranges: 0.0.0.0/1 and 128.0.0.0/1. The CIDR Authentication Selector interprets a specification of 0.0.0.0/0 as an empty range rather than as a wildcard for all addresses.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.

  6. Optional: Enter a Result Attribute Name value.
    This field provides a means to indicate in the SAML assertion whether a network range was matched during processing; the value is either Yes or No. Any authentication sources configured as a result of this authentication selector must have their attribute contract extended with the value of the Result Attribute Name field in order to use its value to fulfill an attribute contract or for issuance criteria.
  7. To complete the configuration:
    1. Click Done on the Summary screen.
    2. Click Save on the Manage Authentication Selector Instances screen.

When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the IP address of an incoming SSO request matches one of the defined network ranges, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the IP address of an incoming SSO request matches none of the defined network ranges, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.