Configuring the HTTP Header Authentication Selector - PingFederate

Configuring the HTTP Header Authentication Selector - PingFederate - 10.0

PingFederate Server

bundle

pingfederate-100

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.0

category

Product

pf-100

pingfederate

ContentType_ce

The HTTP Header Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found in a specified HTTP header.

Use this selector in one or more authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple HTML Form Adapters or between a Kerberos Adapter and an X.509 Adapter. For example, use this selector to choose an authentication source based on the user's browser identified by the User-Agent HTTP header.

Important:

We do not recommend using this selector to determine whether, or not, an authentication source with a higher level of assurance should be bypassed because HTTP request headers could potentially be forged.

Click Identity Provider > Selectors to open the Manage Authentication Selector Instances screen.
On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
On the Type screen, configure the basics of this authentication selector instance.
On the Authentication Selector screen, click Add a new row to 'Results', enter an expression for use when inspecting the HTTP header value of the target HTTP header under Match Expression, and click Update.
Wildcard entries are allowed; for example, *value*.
Optional: Repeat the previous step to add more expressions.
Display order does not matter.
Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.
Enter the type of HTTP header you want the selector to inspect in the Header Name field.

This field is not case-sensitive.
Optional: Clear the Case-Sensitive Matching check box to disable case-sensitive matching between the HTTP header values from the requests and the Match Expression values specified on this screen.
The Case-Sensitive Matching check box is selected by default.
To complete the configuration:
1. Click Done on the Summary screen.
2. Click Save on the Manage Authentication Selector Instances screen.

When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the value of the specified HTTP header matches one of the configured values, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the value of the specified HTTP header matches none of the configured values, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.

Example

To detect the most common browsers based on the User-Agent HTTP request header, configure an HTTP Header Authentication Selector instance as follows.

Enter these entries under Match Expression.

Browser	Expression
Chrome	`Chrome`
Firefox	`Firefox`
Internet Explorer	`MSIE` Tip: For more information, see User-agent string changes from Microsoft (msdn.microsoft.com/library/hh869301.aspx).
Safari	`Safari`

Enter User-Agent in the Header Name field.