This table describes the challenge response generators available for configuration on the New Authentication Challenge Policy page.
Challenge Response Generator | Description |
---|---|
Browser-handled OIDC Authentication Request |
Generates an HTML or |
HTML OIDC Authentication Request |
Generates a response with a 401 response code. The response body
is an HTML document that automatically issues the
OpenID Connect (OIDC) authentication
request using JavaScript. The HTML always attempts to preserve
the fragment of the current browser URL and preserves a POST body if the
|
MS-OFBA Authentication Request Redirect |
Adds two response headers to an HTTP request:
This enables you to open Microsoft (MS) Office documents protected by PingAccess in an in-app browser that redirects to the OpenID Provider (OP) for user authentication. After the user authenticates, PingAccess establishes a web session and redirects the user to the corresponding MS Office application (spreadsheets open in Microsoft Excel, for example). Important:
This response generator doesn’t work with MS Office applications running on macOS, as the macOS in-app browser is much more restrictive. It can’t set the nonce cookie that PingAccess requires before redirecting a user. Additionally, Internet Explorer configurations can dictate the behavior of the in-app browser in some environments. If the document you requested fails to download, ensure that Do not save encrypted pages to disk is disabled in . Tip:
PingAccess provides an MS-OFBA authentication challenge policy that's included with the system by default. As such, this challenge response generator is best used to address edge cases. For more information, see Authentication. |
OIDC Authentication Request Redirect |
Generates a response with a 302 response code. The response body directs the browser to send an OIDC authentication request to the OP. |
PingFederate Authentication API Challenge |
Generates a response with a 401 response code. The body is a JSON object that directs the application to connect to the PingFederate redirectless authorization API. The JSON object contains three strings:
For more information about the required PingFederate configuration, see Authentication API in the PingFederate documentation. For more information about configuring the JavaScript widget to enable this challenge response, see the Redirectless support page on Github. |
Redirect Challenge |
Generates a response with the specified response code that redirects the user to a specified URL. Tip:
To opt out of automatic URL encoding, deselect the Encode URL check box. Learn more in Release Notes. Optionally, select the Append Redirect Parameters check box to append PingFederate Authentication API parameters and the URL of the protected resource the user tried to access within the query string of the redirect URL that you specified. This lets you initiate PingFederate's redirectless OIDC flow from your own sign-on page when an unauthenticated user tries to access a protected resource. The appended parameters are:
Important:
When Append Redirect Parameters is selected, PingAccess provides the information necessary to complete an OIDC flow within the redirect URL's query string, but it does not automatically redirect the user to the PingFederate authorization endpoint. As such, this setting is best used in conjunction with the redirectless PingFederate Authentication API, which reports the current state of an end-user's PingFederate authentication policy flow so that an external web application can manage authentication requests. Regardless of whether you use the Authentication API, you must send a request to the authzUrl to start a redirectless sign-on flow with the credentials entered into your sign-on form. This endpoint returns an OIDC token, which you must send to the authnResponseEndpoint using the authnResponseMethod so that PingAccess can establish a session with the protected resource. After the session is established, you must redirect the user to the resourceUrl. |
Templated Challenge |
Generates a response with the specified response code based on a specified template. Possible template variables include:
|