On the Issuance Criteria screen, define the criteria that must be satisfied in order for PingFederate to process a request further. In essence, this token authorization feature provides the capability to conditionally approve or reject requests based on individual attributes.

You begin this optional configuration by adding a criterion. Choose the source that contains the attribute to be verified. Some sources, such as Mapped Attributes, are common to almost all use cases. Other sources, such as JDBC, have dependency on the type of configuration; irrelevant sources are automatically hidden for your convenience. Once a source a selected, choose the attribute to be verified. Depending on the selected source, the available attributes or properties vary. Finally, specify the comparison method and the desired (compared-to) value.

You can define multiple criteria, in which case all criteria must be satisfied in order for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches (or does not match) the specified value (depending on the chosen comparison method). The multi-value contains ... (or multi-value does not contain ...) comparison methods are intended for attributes that may contain multiple values. Such criterion is considered satisfied if one of the multiple values matches (or does not match) the specified value. It is worth noting that values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.

Note:

Regardless of whether the criteria are defined using the user interface, attribute mapping expressions, or both, all criteria defined must be satisfied (or evaluated as true) for a request to move forward. As soon as one criterion fails, PingFederate rejects the request and returns an error message.

  1. Select the source of the attribute under Source.

    Once selected, the Attribute Name list is populated with the associated attributes or properties. See the following table for more information.

    Source Description
    Adapter Select to evaluate attributes from the IdP adapter instance.
    Context Select to evaluate properties returned from the context of the transaction at runtime.
    Note:

    The HTTP Request context value is retrieved as a Java object rather than text. For this reason, attribute mapping expressions are more appropriate to evaluate and return values.

    JDBC, LDAP, or other types of datastore (if configured) Select to evaluate attributes returned from a data source.
    Mapped Attributes Select to evaluate the mapped attributes.
  2. Select the attribute to be evaluated under Attribute Name.
  3. Select the comparison method under Condition.

    Available methods:

    • equal to
    • equal to (case insensitive)
    • equal to DN
    • not equal to
    • not equal to (case insensitive)
    • not equal to DN
    • multi-value contains
    • multi-value contains (case insensitive)
    • multi-value contains DN
    • multi-value does not contain
    • multi-value does not contain (case insensitive)
    • multi-value does not contain DN
    Note:

    The first six conditions are intended for single-value attributes. Use one of the multi-value ... conditions when you want PingFederate to validate whether one of the attribute values matches (or does not match) the specified value. Using a single-value condition when an attribute has multiple values causes the criteria to fail consistently.

  4. Enter the desired (compared-to) value under Value.
    Note:

    Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.

  5. Enter a custom error message under Error Result.
    If localized descriptions are required, enter a unique alias in the Error Result field (for example, someIssuanceCriterionFailed); then insert the same alias with the desired localized text in the applicable language resource files, located in the <pf_install>/pingfederate/server/default/conf/language-packs directory.

    If it not defined, PingFederate returns ACCESS_DENIED when the criterion fails at runtime.

  6. Click Add.
  7. Optional: Repeat to add multiple criteria using the user interface.
  8. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. (Attribute mapping expressions must be enabled.)
    1. Click Show Advanced Criteria.
    2. Enter the required expressions in the Expression field.
    3. Optional: Enter an error code or an error message in the Error Result field.
      Note:

      If the expressions resolve to a string value (rather than true or false), the returned value overrides the Error Result field value.

    4. Click Add.
    5. Optional: Click Test, enter values in the applicable fields, and verify the result meets your expectation.
    6. Optional: Repeat to add multiple criteria using attribute mapping expressions.