This table describes the challenge response generators available for configuration on the New Authentication Challenge Policy page.
|Challenge Response Generator
Browser-handled OIDC Authentication Request
Generates an HTML or
HTML OIDC Authentication Request
Generates a response with a 401 response code. The response body
is an HTML document that automatically issues the
MS-OFBA Authentication Request Redirect
Adds two response headers to an HTTP request:
This enables you to open Microsoft (MS) Office documents
protected by PingAccess in an in-app browser that redirects to
This response generator doesn’t work with MS Office applications running on macOS, as the macOS in-app browser is much more restrictive. It can’t set the nonce cookie that PingAccess requires before redirecting a user.
Additionally, Internet Explorer configurations can dictate the behavior of the in-app browser in some environments. If the document you requested fails to download, ensure that Do not save encrypted pages to disk is disabled in .
PingAccess provides an MS-OFBA authentication challenge policy that's included with the system by default. As such, this challenge response generator is best used to address edge cases. For more information, see Authentication.
OIDC Authentication Request Redirect
Generates a response with a 302 response code. The response body directs the browser to send an OIDC authentication request to the OP.
PingFederate Authentication API Challenge
Generates a response with a 401 response code. The body is a
For more information about the required PingFederate configuration, see Authentication API in the PingFederate documentation.
Generates a response with the specified response code that redirects the user to a specified URL.
Optionally, select the Append Redirect Parameters check box to append PingFederate Authentication API parameters and the URL of the protected resource the user tried to access within the query string of the redirect URL that you specified.
This lets you initiate PingFederate's redirectless OIDC flow from your own sign-on page when an unauthenticated user tries to access a protected resource. The appended parameters are:
When Append Redirect Parameters is selected, PingAccess provides the information necessary to complete an OIDC flow within the redirect URL's query string, but it does not automatically redirect the user to the PingFederate authorization endpoint. As such, this setting is best used in conjunction with the redirectless PingFederate Authentication API, which reports the current state of an end-user's PingFederate authentication policy flow so that an external web application can manage authentication requests.
Regardless of whether you use the Authentication API, you must send a request to the authzUrl to start a redirectless sign-on flow with the credentials entered into your sign-on form. This endpoint returns an OIDC token, which you must send to the authnResponseEndpoint using the authnResponseMethod so that PingAccess can establish a session with the protected resource. After the session is established, you must redirect the user to the resourceUrl.
Generates a response with the specified response code based on a specified template. Possible template variables include: