The Session Authentication Selector enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source. The following sample setup demonstrates one of the common use cases.

You are tasked to enforce authentication requirements on two categories of SP connections:

  • For high-value connections, users must authenticate via the X.509 Adapter followed by the PingID Adapter.
  • For low-value connections, users can authenticate via the HTML Form Adapter or the X.509 Adapter followed by the PingID Adapter.

You have already created the following components:

  • An authentication policy contract.
  • Multiple SP connections. All connections use the same authentication policy contract as their sole authentication source.
  • Instances of the required adapters.
  • An instance of the Connection Set Authentication Selector to isolate high-value connections from the rest of the connections.

To fulfill this use case, follow these configuration steps:

  1. Go to the Identity Provider > Selectors screen.
  2. Create an instance of the Session Authentication Selector to account for authentication sessions acceptable for low-value connections.
    1. Click Create New Instance.
    2. On the Type screen, enter a name (for example, Sessions for low-value connections) and an ID; then select Session Authentication Selector from the list.
    3. On the Authentication Selector screen, leave the Enable 'No Session' Result Value check box clear; then configure the following authentication source-to-result value entries.
      Authentication source (adapter instance name) Result value (policy path label)
      HTML SSO
      X.509 Mutual TLS and MFA

      The following screen capture illustrates the setup.

      A screen capture illustrating the selector setup.
    4. On the Summary screen, click Done.
    5. On the Manage Authentication Selector Instances screen, click Save to keep the newly configured authentication selector instance.
  3. Go to the Identity Provider > Policies screen.
  4. Define an authentication policy for high-value connections.
    1. Click Add Policy.
    2. Enter a name for the policy; for example, High-value connections.
    3. Under Policy, select the instance of the Connect Set Authentication Selector that isolates high-value connections from the rest.
    4. For the No policy path, select Continue.
    5. For the Yes policy path, select the X.509 Adapter instance.
    6. For the X.509 Adapter instance > Fail policy path, select Done.
    7. For the X.509 Adapter instance > Success policy path, select the PingID Adapter instance.
    8. Click Options underneath the PingID Adapter instance and select the X.509 Adapter instance as the source and username as the attribute on the Incoming User ID screen.
      Tip:

      This step is applicable only to adapters that support a user identifier to be passed in from an earlier authentication source. The PingID Adapter requires this user identifier. For more information, see Specifying an incoming user ID.

    9. For the X.509 Adapter instance > Success > PingID Adapter instance > Fail policy path, select Done.
    10. For the X.509 Adapter instance > Success > PingID Adapter instance > Success policy path, select the authentication policy contract.
    11. Complete the contract mapping for the authentication policy contract.

      The following screen capture illustrates the policy created for high-value connections.

      A screen capture illiustrating the sample policy for high-value connections.
    12. Click Done.
  5. Define an authentication policy for low-value connections.
    1. Click Add Policy.
    2. Enter a name for the policy; for example, Low-value connections.
    3. Under Policy, select the instance of the Session Authentication Selector (see step 2).
    4. For the SSO policy path, select the HTML Form Adapter instance.
    5. For the HTML Form Adapter instance > Fail policy path, select Done.
    6. For the HTML Form Adapter instance > Success policy path, select the authentication policy contract.
    7. Complete the contract mapping for the authentication policy contract.
    8. For the Mutual TLS and MFA policy path, select the X.509 Adapter instance.
    9. For the X.509 Adapter instance > Success policy path, select the PingID Adapter instance.
    10. Click Options underneath the PingID Adapter instance and select the X.509 Adapter instance as the source and username as the attribute on the Incoming User ID screen.
      Tip:

      This step is applicable only to adapters that support a user identifier to be passed in from an earlier authentication source. The PingID Adapter requires this user identifier. For more information, see Specifying an incoming user ID.

    11. For the X.509 Adapter instance > Success > PingID Adapter instance > Fail policy path, select Done.
    12. For the X.509 Adapter instance > Success > PingID Adapter instance > Success policy path, select the authentication policy contract.
    13. Complete the contract mapping for the authentication policy contract.
      The following screen capture illustrates the policy created for low-value connections.
      A screen capture illiustrating the sample policy for connections related to office maintenance.
    14. Click Done.
    15. Select the IdP Authentication Policies check box to activate authentication polices for IdP Browser SSO requests, adapter-to-adapter requests, and browser-based OAuth authorization code and implicit flows.

      The following screen capture illustrates the policies created this sample use case.

      A screen capture illustrating the policies created for this sample use case.
  6. Click Save to keep the newly configured authentication policies.