The HTTP Request Parameter Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on query parameter values. Use this selector in one or more authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple instances of the HTML Form Adapter or between a Kerberos Adapter instance and an X.509 Adapter instance. For example, use an instance of this selector to choose an authentication experience based on the reward program information indicated by a query parameter in the SSO request.

Important:

We do not recommend using this selector to determine whether, or not, an authentication source with a higher level of assurance should be bypassed because query parameters could potentially be forged.

  1. Click Identity Provider > Selectors to open the Manage Authentication Selector Instances screen.
  2. On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
  3. On the Type screen, configure the basics of this authentication selector instance.
  4. On the Authentication Selector screen, configure the applicable selector instance settings.
    1. Enter the exact (case-sensitive) name of the request parameter in the HTTP Request Parameter Name field.
      Important:

      The policy engine is capable of tracking HTTP request parameters that it receives from the initial request and making them available to selector instances throughout the policy. If you plan on using this selector instance as the second (or subsequent) checkpoint in at least one authentication policy, add the HTTP Request Parameter Name value on the Authentication Policies > Tracked HTTP Parameters screen. For more information, see Defining authentication policies.

    2. Optional: Clear the Case-Sensitive Matching check box to disable case-sensitive matching between the HTTP request parameter values from the requests and the Match Expression values specified on the Selector Result Values screen.
      The Case-Sensitive Matching check box is selected by default.
    3. Optional: Enable policy paths to handle additional scenarios.
      For more information, refer to the following table.
      Field Description
      Enable 'Any' Result Value Each configured selector result value forms a separate authentication policy path.

      Select this check box if you want to enable a single policy path for the scenario where the HTTP request parameter value matches any one of the configured selector result values.

      This check box is not selected by default.

      Enable 'No Match' Result Value Selector evaluation fails and the next applicable authentication policy is executed when the HTTP request parameter value does not match any of the configured selector result values.

      Select this check box if you want to enable a policy path to handle this scenario.

      This check box is not selected by default.

      Enable 'Not in Request' Result Value Selector evaluation fails and the next applicable authentication policy is executed if the HTTP request parameter is not found.

      Select this check box if you want to enable a policy path to handle this scenario.

      This check box is not selected by default.

  5. On the Selector Result Values screen, enter a request parameter value under Result value and click Add.
    Wildcard entries are allowed; for example, *value*.
    Important:

    A more specific match is considered a better match and an exact match is considered the best match.

  6. Optional: Repeat the previous step to add more request parameter values.
    Display order does not matter.
    If you have not enabled the Any policy path in step 4c, each selector result value forms a policy path when you place this selector instance as a checkpoint in an authentication policy.
    If you have enabled the Any policy path, only one policy path is formed.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

  7. To complete the configuration:
    1. Click Done on the Summary screen.
    2. Click Save on the Manage Authentication Selector Instances screen.

Example

Suppose you enter three selector result values (Central, Easter, and Southern) on the Selector Result Values screen, as illustrated in the following screen capture.

A screen capture illustrating three result values: Central, Eastern, and Southern.

If you have not enabled any additional policy paths in step 4c, as you place this selector instance as a checkpoint in an authentication policy, three policy paths are extended from the selector instance, one for each of the configured selector result values.

A screen capture illustrating three policy paths.