1. Click Access and then go to Authentication > Authentication Challenge Policies.
  2. Click + Add Authentication Challenge Policy.
  3. In the Name field, enter a unique name for the authentication challenge policy.
  4. Optional: In the Description field, enter a description for the authentication challenge policy.
  5. Optional: From the Challenge Response Mapping list, select a mapping type.
    1. If you selected Content Negotiation, in the Media Types list, select one or more media types.

      If the Accept header field in the request matches any of the specified media types, the mapping is applied.

    2. If you selected Header Fields, click + Add Row to add one or more rows, and then in the Name and Value Pattern fields, enter a name and value pattern and for each row.

      If all of the specified header fields in the request match the specified value patterns, the mapping is applied.

  6. Configure a challenge response generator for the challenge response mapping.
    1. From the Challenge Response Generator list, select a challenge response generator.
      Challenge Response Generator Description
      Browser-handled OIDC Authentication Request

      Generates an HTML or 302 Redirect response as described by the Authentication challenge responses tables when SPA support is disabled.

      HTML OIDC Authentication Request Generates a response with a 401 response code. The response body is an HTML document that automatically issues the OIDC authentication request using JavaScript. The HTML always attempts to preserve the fragment of the current browser URL and preserves a POST body if the Content-Type is application/x-www-url-formencoded.
      OIDC Authentication Request Redirect Generates a response with a 302 response code. The response body directs the browser to send an OIDC authentication request to the OpenID provider.
      PingFederate Authentication API Challenge Generates a response with a 401 response code. The body is a JSON object that directs the application to connect to the PingFederate redirectless authorization API. The JSON object contains three strings:
      • authorizationUrl represents the OIDC authentication request.
      • method indicates the HTTP method for the request to the PingAccess OIDC callback endpoint.
      • oidcAuthnResponseEndpoint is the location of the PingAccess OIDC callback endpoint.
      For more information, about the required PingFederate configuration, see Authentication API in the PingFederate documentation. For more information about configuring the JavaScript widget to enable this challenge response, see the Redirectless support page on github.
      Redirect Challenge Generates a response with the specified response code that redirects the user to a specified URL.
      Templated Challenge Generates a response with the specified response code based on a specified template. The allowed template variables include the following:
      • resource.name represents a string containing the name of the requested resource.
      • application.name represents a string containing the name of the requested application.
      • application.realm represents a string containing the OAuth realm associated with the application. If the realm is not defined by the application, it is inferred to be the requested authority and the application's context root.
      • exchangeId represents a string containing the ID for the current transaction.
    2. If you selected Redirect Challenge, enter a Redirect URL and select a Response Code for the redirect.
    3. If you selected Templated Challenge, select a Response Code and Media Type for the template, then enter the template in the Template field.
    4. From the Challenge Response Filter list, select a challenge response filter:
      1. If you selected Append Header Fields, click + Add Row.

        Enter a Name and Value in each row.

      2. If you selected Global PF Redirect Headers Appender, then PingAccess will add the headers defined by the pf.redirect.headers in <PA_HOME>/conf/run.properties as described by the Configuration file reference.

      The specified HTTP response header fields are appended to the authentication challenge response.

  7. Optional: To add additional challenge response mappings, click + Add Challenge Response Mapping, then repeat steps 5 and 6.
  8. In the Default Challenge Response section, select a default challenge response.

    PingAccess uses this challenge response if no other challenge responses apply.

    1. From the Challenge Response Generator list, select a challenge response generator.
    2. If you selected Redirect Challenge, enter a Redirect URL and select a Response Code for the redirect.
    3. If you selected Templated Challenge, select a Response Code and Media Type for the template, then enter the template in the Template field.
    4. From the Challenge Response Filter list, select a challenge response filter.
      • If you selected Append Header Fields, click + Add Row, then enter a Name and Value in each row.

      The specified HTTP response header fields are appended to the authentication challenge response.

  9. Click Save.