Add an authentication requirements rule in PingAccess to limit access to resources or applications protected by PingAccess based on the access control rule (ACR) values returned by the PingFederate request AuthN context authentication selector.
Verify that you have:
- A PingFederate configuration that uses the
Requested AuthN Context Authentication Selector
- A configured authentication list
An authentication requirements rule allows authentication requirements to be applied when a policy decision is being made by the PingAccess engine, allowing an entire application or individual resources to require a particular authentication type.
This rule also allows for configurations that require more secure authentication methods, such as multi-factor authentication (MFA). For example, a website might allow a user to authenticate and view personal data using only a user name and password, but editing their personal data could require an additional PingID verification step. When used in this manner, an additional step-up authentication event is automatically triggered.
To ensure that step-up authentication is triggered, this rule should always be
positioned first in a list of rules, rule sets, or rule set groups, regardless
of whether the criteria is
PingAccess uses rules to trigger different authentication paths in PingFederate. If the authentication requirements rule isn't the first item in a list, then it isn't sent to PingFederate in the initial request.
- Click Access and then go to .
- Click + Add Rule.
In the Name field, enter a unique name, up to 64
Special characters and spaces are allowed.
- From the Type list, select Authentication Requirements.
- Select an Authentication Requirements List.
Select a Minimum Authentication Requirement.
The possible values for the Minimum Authentication Requirement are derived from the selected Authentication Requirements list.
In the Max Age (M) field, enter a maximum time since the
last authentication. If the user's session has not authenticated in this
timeframe, the user is prompted to reauthenticate.
A value of -1 indicates no maximum age.
- Click Save.