The Requested AuthN Context Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on the authentication context (or contexts) requested by an SP for Browser SSO requests or an RP for OAuth with OpenID Connect use cases in one or more authentication policies.

For Browser SSO, this authentication selector works in conjunction with SP connections via SAML 2.0 only, using the SP-initiated SSO profile; other Browser SSO protocols do not support authentication context. For OAuth, clients supporting the OpenID Connect protocol must include the optional acr_values parameter in their authorization requests to indicate their preferred authentication context (or contexts).

  1. Click Identity Provider > Selectors to open the Manage Authentication Selector Instances screen.
  2. On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
  3. On the Type screen, configure the basics of this authentication selector instance.
  4. On the Authentication Selector screen, configure the applicable selector instance settings.
    1. Select the Add or Update AuthN Context Attribute check box if you want to update the authentication context attribute value with the value specified in the Selector Result Values screen.

      When selected (the default), the check box on this screen provides a means of either:

      • Adding the value of the authentication context determined by the selector into the SAML assertion.
      • When applicable, replacing any value returned from the associated adapter instance with the selector-result value.
    2. Optional: Enable policy paths to handle additional scenarios.
      For more information, refer to the following table.
      Field Description
      Enable 'No Match' Result Value Selector evaluation fails and the next applicable authentication policy is executed if the requested authentication context does not match any of the configured selector result values.

      Select this check box if you want to enable a policy path to handle this scenario.

      This check box is not selected by default.

      Enable 'Not in Request' Result Value Selector evaluation fails and the next applicable authentication policy is executed if no requested authentication context is found.

      Select this check box if you want to enable a policy path to handle this scenario.

      This check box is not selected by default.

  5. On the Selector Result Values screen, specify the authentication contexts to be used as the criteria.
    1. Enter the exact (case-sensitive) parameter value under Result Values and click Add.
      The value may include URIs defined in Authentication Context for the OASIS Security Assertion Markup Language (SAML) 2.0 (docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf) or any other value agreed upon with the partner.
    2. Optional: Add more values to differentiate criteria for authentication selection.
      Display order does not matter.

      Each selector result value forms a policy path when you place this selector instance as a checkpoint in an authentication policy (regardless of whether you have enabled the No Match or Not in Request policy path in step 4b).

      Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

  6. To complete the configuration:
    1. Click Done on the Summary screen.
    2. Click Save on the Manage Authentication Selector Instances screen.