An authentication challenge response is an HTTP response sent to a user agent (such as a web browser) by PingAccess, telling the user agent that the corresponding request did not contain a valid authentication token. Some responses also provide instructions to the user agent to obtain a valid authentication token such as an HTTP redirect response containing an encoded OpenID Connect (OIDC) authentication request.

When onboarding new applications to PingAccess, the recommended configuration is SPA Support = Enabled, Request Preservation = POST and Fragment, and Fail on Unsupported Content Type = false, regardless of the behavior of the application. This configuration is displayed in the first table.

Recommended configurations
PingAccess configuration Request properties Response characteristics
SPA Support1 Request Preservation2 Fail on Unsupported Content Type3 Method Content Type Accept Header Field Response Code Body Content
Enabled POST, POST and Fragment Any GET4 Any

NOT

application/json

401 HTML
Enabled POST, POST and Fragment Any GET4 Any application/json 401 JSON
Enabled POST, POST and Fragment false POST Any

NOT

application/json

401 HTML
Enabled POST, POST and Fragment false POST Any application/json 401 JSON
1Configured on an application. In the Admin API, the field is spaSupportEnabled. In the UI, the field is SPA Support. See Adding an application for more information about this field.
2Configured on a web session. In the Admin API, the field is requestPreservationType. In the UI, the field is Request Preservation. See Creating web sessions for more information about this field.
3This option is only available through the Admin API.
4Any non-POST method receives the same response as a GET.
Additional configurations
PingAccess configuration Request properties Response characteristics
SPA Support1 Request Preservation2 Fail on Unsupported Content Type3 Method Content Type Accept Header Field Response Code Body Content
Disabled None Any Any Any Any 302 None
Disabled POST Any GET4 Any Any 302 None
Disabled POST Any POST application/x-www-form-urlencoded Any 200 HTML
Disabled POST false POST

NOT

application/x-www-form-urlencoded

Any 302 None
Disabled POST true POST

NOT

application/x-www-form-urlencoded

Any 415 HTML
Disabled POST and Fragment Any GET4 Any Any 200 HTML
Disabled POST and Fragment Any POST application/x-www-form-urlencoded Any 200 HTML
Disabled POST and Fragment false POST

NOT

application/x-www-form-urlencoded

Any 302 None
Disabled POST and Fragment true POST

NOT

application/x-www-form-urlencoded

Any 415 HTML
Enabled None Any Any Any

NOT

application/json

401 HTML
Enabled None Any Any Any application/json 401 JSON
Enabled POST, POST and Fragment true POST

NOT

application/x-www-form-urlencoded

NOT

application/json

415 HTML
Enabled POST, POST and Fragment true POST application/x-www-form-urlencoded

NOT

application/json

401 HTML
Enabled POST, POST and Fragment true POST Any application/json 401 JSON