On the Issuance Criteria screen, define the criteria that must be satisfied in order for PingFederate to process a request further. In essence, this token authorization feature provides the capability to conditionally approve or reject requests based on individual attributes.
You begin this optional configuration by adding a criterion. Choose the source that contains the attribute to be verified. Some sources, such as Mapped Attributes, are common to almost all use cases. Other sources, such as JDBC, have dependency on the type of configuration; irrelevant sources are automatically hidden for your convenience. Once a source a selected, choose the attribute to be verified. Depending on the selected source, the available attributes or properties vary. Finally, specify the comparison method and the desired (compared-to) value.
You can define multiple criteria, in which case all criteria must be satisfied in order for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches (or does not match) the specified value (depending on the chosen comparison method). The multi-value contains ... (or multi-value does not contain ...) comparison methods are intended for attributes that may contain multiple values. Such criterion is considered satisfied if one of the multiple values matches (or does not match) the specified value. It is worth noting that values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
Regardless of whether the criteria are defined using the user interface, attribute mapping expressions, or both, all criteria defined must be satisfied (or evaluated as true) for a request to move forward. As soon as one criterion fails, PingFederate rejects the request and returns an error message.