You can configure SP authentication policies to handle different authentication requirements for multiple IdP connections. Consider the following example.
Suppose you have configured the following use cases in an earlier version of PingFederate:
- Two SP adapter instances on the
Instance Name Instance ID Extended Contract Sample sample subject and email Sample Delta sampleDelta subject and email
screen: - Three entries on the
URL Target Session https://sso.xray.local:9031/SpSample/MainPage?app=Alpha&* Sample https://sso.xray.local:9031/SpSample/MainPage?app=Charlie&* Sample https://sso.xray.local:9031/SpSample/MainPage?app=Delta&* Sample Delta
screen: - Three IdP connections to your partners:
Partner (Federation ID)
Identity Mapping Attribute Contract Target Session Mapping SP adapter instance name
(SP adapter instance ID)
Alpha (sso.alpha.local)
Account Mapping SAML_SUBJECT and samlEmail Sample (sample)
Charlie (sso.charlie.local)
Account Mapping SAML_SUBJECT and samlEmail Sample (sample)
Delta (sso.delta.local)
Account Mapping SAML_SUBJECT and samlEmail Sample Delta (sampleDelta)
In this example, all partners support SAML 2.0 and only the SP-initiated SSO profile.
- SP-initiated SSO URLs for users from Alpha, Charlie, and Delta:
Partner SSO URL Alpha https://sso.xray.local:9031/sp/startSSO.ping?PartnerIdpId=sso.alpha.local&TargetResource=https%3A%2F%2Fsso.xray.local%3A9031%2FSpSample%2FMainPage%3Fapp%3DAlph%26t%3Daa Charlie https://sso.xray.local:9031/sp/startSSO.ping?PartnerIdpId=sso.charlie.local&TargetResource=https%3A%2F%2Fsso.xray.local%3A9031%2FSpSample%2FMainPage%3Fapp%3DCharlie%26t%3Dc Delta https://sso.xray.local:9031/sp/startSSO.ping?PartnerIdpId=sso.delta.local&TargetResource=https%3A%2F%2Fsso.xray.local%3A9031%2FSpSample%2FMainPage%3Fapp%3DDelta%26t%3Dd
- Create new IdP connections to three new partners: Echo, Foxtrot and Golf.
- Enforce multifactor authentication for users from Alpha, Charlie, Echo, and Golf through Bravo. Note that Bravo requires a user ID to be passed in from the original source and returns only the user ID when the users fulfill the multifactor authentication requirement.
The new required components are:
- Two additional SP adapter instances (step 1):
- Sample Echo to integrate with Echo's target application.
- Sample Golf to integrate with Golf's target application.
- Four new IdP connections (step 2, step 3, and step 4):
Partner (Federation ID)
Identity Mapping Attribute Contract Target Session Mapping SP adapter instance name
(SP adapter instance ID)
Bravo (sso.bravo.local)
No Mapping SAML_SUBJECT and no other attributes N/A Echo (sso.echo.local)
No Mapping SAML_SUBJECT and samlEmail N/A Foxtrot (sso.foxtrot.local)
Account Mapping SAML_SUBJECT and samlEmail Sample (sample)
Golf (sso.golf.local)
No Mapping SAML_SUBJECT and samlEmail N/A In this example, all partners support SAML 2.0 and only the SP-initiated SSO profile.
- Three authentication policy contracts (step 5):
- An authentication policy contract (Authenticated) to carry user attributes from Alpha and Charlie to their respective target applications.
- Two other authentication policy contracts (Echo authenticated and Golf authenticated) to carry user attributes from Echo and Golf to their target applications.
- An instance of the HTTP Request Parameter Authentication Selector (PartnerIdpId) to determine if a request is meant for Alpha or Charlie, because Alpha's and Charlie's target applications share an SP adapter instance (step 6).
- Three SP authentication policies to enforce the multifactor authentication requirement (step 7, step 8, and step 12).
- Three adapter mappings between the authentication policy contracts and the
applicable SP adapter instances (step 9):
- Map from Authenticated to Sample.
- Map from Echo authenticated to Sample Echo.
- Map from Golf authenticated to Sample Golf
- Three additional target URL mappings between the applications requested by users from Echo, Foxtrot, and Golf to their respective SP adapter instances (step 10):
- SSO URLs for all partners (step 11).
Follow these steps to fulfill the new requirements: