Adding an authentication requirements rule - PingAccess - 7.3

PingAccess

bundle
pingaccess-73
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.3
category
Product
pa-73
pingaccess
ContentType_ce

Add an authentication requirements rule in PingAccess to limit access to resources or applications protected by PingAccess based on the access control rule (ACR) values returned by the PingFederate request AuthN context authentication selector.

Verify that you have:

  • A PingFederate configuration that uses the Requested AuthN Context Authentication Selector
  • A configured authentication list

An authentication requirements rule allows authentication requirements to be applied when a policy decision is being made by the PingAccess engine, allowing an entire application or individual resources to require a particular authentication type.

This rule also allows for configurations that require more secure authentication methods, such as multi-factor authentication (MFA)multi-factor authentication (MFA)MFA An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.. For example, a website might allow a user to authenticate and view personal data using only a user name and password, but editing their personal data could require an additional PingID verification step. When used in this manner, an additional step-up authentication event is automatically triggered.

Important:

To ensure that step-up authentication is triggered, this rule should always be positioned first in a list of rules, rule sets, or rule set groups, regardless of whether the criteria is Any or All.

PingAccess uses rules to trigger different authentication paths in PingFederate. If the authentication requirements rule isn't the first item in a list, then it isn't sent to PingFederate in the initial request.

  1. Click Access and then go to Rules > Rules.
  2. Click + Add Rule.
  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select Authentication Requirements.
  5. Select an Authentication Requirements List.
  6. Select a Minimum Authentication Requirement.
    Note:

    The possible values for the Minimum Authentication Requirement are derived from the selected Authentication Requirements list.

  7. Optional: In the Max Age (M) field, enter a maximum time since the last authentication. If the user's session has not authenticated in this timeframe, the user is prompted to reauthenticate.
    A value of -1 indicates no maximum age.
  8. Click Save.