1. Click Access and then go to Rules > Rules.
  2. Click + Add Rule.
  3. In the Name field, enter a unique name up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select Web Session Attribute.
  5. To grant the client access, select the Attribute Name that you want to match, such as Group.
  6. Enter the Attribute Value for the attribute name, such as Sales.

    If the attribute has multiple values at runtime, the attribute value you specify here must match one of those values.

    PingAccess token attributes are obtained from the PingFederate OpenID Connect (OIDC) policy attribute contract. For more information, see Configuring OpenID Connect Policies.

  7. To add more attributes, click Add Row.
  8. To remove a row, click the Delete icon.
  9. To disallow access when a match is found, click Negate.

    Ensure the attribute name is spelled correctly and exists. If you enter an attribute that does not exist and you select Negate, the rule will always succeed.

  10. If you want to configure rejection handling, click Show Advanced Settings, then select a rejection handling method:
    • Select Default to use the Rejection Handler list to select an existing rejection handler that defines whether to display an error template or redirect to a URL.
    • Select Basic to customize an error message to display as part of the default error page rendered in the end-user's browser if rule evaluation fails. This page is among the templates you can modify with your own branding or other information.
    If you select Basic, provide this information:
    1. In the Error Response Code field, enter the HTTP status response code to send if rule evaluation fails. The default is 403.
    2. In the Error Response Status Message field, enter the HTTP status response message to send if rule evaluation fails. The default is Forbidden.
    3. In the Error Response Template File field, enter the HTML template page for customizing the error message that displays if rule evaluation fails. This template file is located in the <PA_HOME>/conf/template/ directory.
    4. From the Error Response Content Type list, select the type of content for the error response. This lets the client properly display the response.
  11. Click Save.

    To use this rule, select the Request Profile check box, indicating that you want PingAccess to request additional profile attributes from PingFederate when requesting the ID token.