Use a web session attribute rule to examine a request and determine whether to grant access to a target site based on a match found between the attribute values in the PingAccess token and the attribute values that you specify with this rule.
Use this rule to test if an attribute in a web session contains a specific value, then grant or deny access to a target site based on whether a match is found.
- Click Access and then go to .
- Click + Add Rule.
In the Name field, enter a unique name up to 64
Special characters and spaces are allowed.
- In the Type list, select Web Session Attribute.
To grant the client access, select the Attribute Name
that you want to match, such as
In the Matching Strategy list, select the context that
you want PingAccess to evaluate requests
with when looking for a match.
- Case-Sensitive: To register as a match, the attribute value in the request must be written in the same case as the attribute value that you specify in step 7. By default, PingAccess uses this matching strategy.
- Case-Insensitive: Case doesn't matter when looking for a match. Select this option for more flexibility if you might make changes to the attribute source that don't alter it semantically.
- DN Matching: Normalizes both the attribute value
that you specify in step 7 and any attribute value that PingAccess gathers at runtime from the user
identity attributes as an X.500
distinguished name (DN). PingAccess then looks for a match between the distinguished names. distinguished name (DN) DN A name uniquely identifying an object within the hierarchy of a directory tree.Tip:
- If you select DN Matching, make sure to select an Attribute Name in step 5 that can contain a DN. The administrative console doesn't provide a warning if you select an invalid attribute type, but you can check your log files to confirm that you don't have any DN-related errors.
- PingAccess validates the Attribute Value that you specify in step 7 to make sure that it's a valid X.500 DN that follows RFC-1779 or RFC-2253. Copy-paste the attribute value to ensure accuracy.
- Relative DNs that have non-printable or non-UTF-8 string values, such as email and domain component (DC) relative DNs, are case sensitive. Otherwise, relative DN values are case-insensitive.
- If you have a relative DN with multiple attribute-value pairs
separated by a plus sign (
+) delimiter, order doesn't matter because of normalization. For example, if you define part of a relative DN in the order
CN=Engineering+OU=Groups, then a request containing those same attribute-value pairs in reverse order
OU=Groups+CN=Engineeringstill returns a match.
- The normalization process also replaces semicolon delimiters with commas, removes leading and trailing white spaces, and replaces hexadecimal values with their associated characters.
Enter the Attribute Value for the attribute name, such
Copy-paste the attribute value to ensure accuracy.
If the attribute has multiple values at runtime, the attribute value you specify here must match one of those values.
If you are using PingFederate as the token provider, PingAccess obtains token attributes from the PingFederate
OpenID Connect (OIDC)policy attribute contract. For more information, see Configuring OpenID Connect Policies. OpenID Connect (OIDC) OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.
- Optional: To add more attributes, click Add Row.
- Optional: To remove a row, click the Delete icon.
To disallow access when a match is found, click
Ensure the attribute name is spelled correctly and exists. If you enter an attribute that does not exist and you select Negate, the rule will always succeed.
To configure rejection handling, click Show Advanced
Settings, then select a rejection handling method.
- If you select Default, use the Rejection Handler list to select an existing rejection handler that defines whether to display an error template or redirect to a URL.
- If you select Basic, you can customize an error
message to display as part of the default error page rendered in the end user's
browser if rule evaluation fails. This page is among the templates you can
modify with your own branding or other information. If you select
Basic, provide the following:
- In the Error Response Code field, enter the HTTP
status response code to send if rule evaluation fails.
The default is 403.
- In the Error Response Status Message field, enter
the HTTP status response message to send if rule evaluation fails.
The default is Forbidden.
- In the Error Response Template File field, enter the HTML template page for customizing the error message that displays if rule evaluation fails. This template file is located in the <PA_HOME>/conf/template/ directory.
- From the Error Response Content Type list, select
the type of content for the error response.
This lets the client properly display the response.
- In the Error Response Code field, enter the HTTP status response code to send if rule evaluation fails.
To use this rule, select the Request Profile check box, indicating that you want PingAccess to request additional profile attributes from PingFederate when requesting the ID token.