On the Issuance Criteria screen, define the criteria that must be satisfied in order for PingFederate to process a request further. In essence, this token authorization feature provides the capability to conditionally approve or reject requests based on individual attributes.
You begin this optional configuration by adding a criterion. Choose the source that contains the attribute to be verified. Some sources, such as Mapped Attributes, are common to almost all use cases. Other sources, such as JDBC, have dependency on the type of configuration; irrelevant sources are automatically hidden for your convenience. Once a source a selected, choose the attribute to be verified. Depending on the selected source, the available attributes or properties vary. Finally, specify the comparison method and the desired (compared-to) value.
You can define multiple criteria, in which case all criteria must be satisfied in order for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches (or does not match) the specified value (depending on the chosen comparison method). The multi-value contains ... (or multi-value does not contain ...) comparison methods are intended for attributes that may contain multiple values. Such criterion is considered satisfied if one of the multiple values matches (or does not match) the specified value. It is worth noting that values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
When you multiplex one connection for multiple environments (see Multiple virtual server IDs), consider using attribute mapping expressions to verify the virtual server ID in conjunction with other conditions, such as group membership information, to protect against unauthorized access (see Issuance criteria and multiple virtual server IDs).
Regardless of whether the criteria are defined using the user interface, attribute mapping expressions, or both, all criteria defined must be satisfied (or evaluated as true) for a request to move forward. As soon as one criterion fails, PingFederate rejects the request and returns an error message.
Select the source of the attribute
Once selected, the Attribute Name list is populated with the associated attributes or properties. See the following table for more information.
Source Description AccountLink Select to evaluate the Local User ID value of the user.
Visible and applicable only if Account Linking is the selected identity mapping method (see Choosing an identity mapping method).
Assertion or Provider Claims Select to evaluate attributes from the IdP connection. Context Select to evaluate properties returned from the context of the transaction at runtime.Note:
The HTTP Request context value is retrieved as a Java object rather than text. For this reason, attribute mapping expressions are more appropriate to evaluate and return values.
JDBC, LDAP, or other types of datastore (if configured) Select to evaluate attributes returned from a data source. Mapped Attributes Select to evaluate the mapped attributes.
- Select the attribute to be evaluated under Attribute Name.
Select the comparison method under
- equal to
- equal to (case insensitive)
- equal to DN
- not equal to
- not equal to (case insensitive)
- not equal to DN
- multi-value contains
- multi-value contains (case insensitive)
- multi-value contains DN
- multi-value does not contain
- multi-value does not contain (case insensitive)
- multi-value does not contain DN
The first six conditions are intended for single-value attributes. Use one of the multi-value ... conditions when you want PingFederate to validate whether one of the attribute values matches (or does not match) the specified value. Using a single-value condition when an attribute has multiple values causes the criteria to fail consistently.
Enter the desired (compared-to) value under Value.
Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
Enter a custom error message
under Error Result.
Error results are handled in one of the two ways.
- When an InErrorResource URL is provided, the value of the Error Result field is used by the query parameter ErrorDetail in the redirect URL.
- When an InErrorResource URL is not provided, the value of the Error Result field is used by the variable $errorDetail in the sp.sso.error.page.template.html template file.
Using an error code in the Error Result field allows the error template or an application to process the code in a variety of ways; for example, display an error message or e-mail an administrator.If localized descriptions are required, enter a unique alias in the Error Result field (for example,
someIssuanceCriterionFailed); then insert the same alias with the desired localized text in the applicable language resource files, located in the <pf_install>/pingfederate/server/default/conf/language-packs directory.
If it not defined, PingFederate returns
ACCESS_DENIEDwhen the criterion fails at runtime.
- Click Add.
- Optional: Repeat to add multiple criteria using the user interface.
require complex evaluations, including conditional criteria or partial matching,
define them using attribute mapping expressions. (Attribute mapping expressions must be enabled.)
- Click Show Advanced Criteria.
- Enter the required expressions in the Expression field.
Enter an error code or an error message in the Error
If the expressions resolve to a string value (rather than
false), the returned value overrides the Error Result field value.
- Click Add.
- Optional: Click Test, enter values in the applicable fields, and verify the result meets your expectation.
- Optional: Repeat to add multiple criteria using attribute mapping expressions.