You can configure an SP authentication policy to enforce authentication requirements for an IdP connection. Consider the following example.
You are tasked to create an IdP connection to Alpha, which passes two attributes in its assertions, SAML_SUBJECT and samlEmail, on your PingFederate SP server. You are also asked to enforce multifactor authentication for users from Alpha through Bravo, a third-party IdP that returns only the SAML_SUBJECT attribute and requires a user ID to be passed in from the original source. Both Alpha and Bravo support SAML 2.0 and only the SP-initiated SSO profile.
You have already created an SP adapter instance using the Sample and sample
, respectively. On the screen, the base URL for your PingFederate SP server is defined as
https://sso.xray.local:9031
. There are no other IdP connections
besides those required to connect with Alpha and Bravo.
This example requires the following components:
- An SP adapter instance deployed, configured, and integrated with the target application.
- An IdP connection to the partner (step 1).
- An IdP connection to the third-party IdP that facilitates the multifactor authentication process (step 2).
- An authentication policy contract to carry user attributes from the partner to the target application (step 3).
- An SP authentication policy (step 4 and step 7).
- An adapter mapping between the authentication policy contract and the applicable SP adapter instance (step 5).
- An SP-initiated SSO URL (step 6).
To fulfill the requirements: