On the Issuance Criteria screen, define the criteria that must be satisfied in order for PingFederate to process a request further. In essence, this token authorization feature provides the capability to conditionally approve or reject requests based on individual attributes.
You begin this optional configuration by adding a criterion. Choose the source that contains the attribute to be verified. Some sources, such as Mapped Attributes, are common to almost all use cases. Other sources, such as JDBC, have dependency on the type of configuration; irrelevant sources are automatically hidden for your convenience. Once a source a selected, choose the attribute to be verified. Depending on the selected source, the available attributes or properties vary. Finally, specify the comparison method and the desired (compared-to) value.
You can define multiple criteria, in which case all criteria must be satisfied in order for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches (or does not match) the specified value (depending on the chosen comparison method). The multi-value contains ... (or multi-value does not contain ...) comparison methods are intended for attributes that may contain multiple values. Such criterion is considered satisfied if one of the multiple values matches (or does not match) the specified value. It is worth noting that values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
When you multiplex one connection for multiple environments (see Multiple virtual server IDs), consider using attribute mapping expressions to verify the virtual server ID in conjunction with other conditions, such as group membership information, to protect against unauthorized access (see Issuance criteria and multiple virtual server IDs).
Regardless of whether the criteria are defined using the user interface, attribute mapping expressions, or both, all criteria defined must be satisfied (or evaluated as true) for a request to move forward. As soon as one criterion fails, PingFederate rejects the request and returns an error message.
Select the source of the attribute
Once selected, the Attribute Name list is populated with the associated attributes or properties. See the following table for more information.
Source Description Context Select to evaluate properties returned from the context of the transaction at runtime.Note:
The HTTP Request and STS SSL Client Certificate Chain context values are retrieved as a Java object rather than text. For this reason, attribute mapping expressions are more appropriate to evaluate and return values.
JDBC, LDAP, or other types of datastore (if configured) Select to evaluate attributes returned from a data source. Mapped Attributes Select to evaluate the mapped attributes. Token Select to evaluate attributes from the token processor instance.
Select the attribute to be evaluated under Attribute Name.
If you want to evaluate the STS Basic Authentication Username, STS SSL Client Certificate Chain, or STS SSL Client Certificate's Subject DN context value, ensure that the associated authentication is enabled and configured on the screen.
Select the comparison method under
- equal to
- equal to (case insensitive)
- equal to DN
- not equal to
- not equal to (case insensitive)
- not equal to DN
- multi-value contains
- multi-value contains (case insensitive)
- multi-value contains DN
- multi-value does not contain
- multi-value does not contain (case insensitive)
- multi-value does not contain DN
The first six conditions are intended for single-value attributes. Use one of the multi-value ... conditions when you want PingFederate to validate whether one of the attribute values matches (or does not match) the specified value. Using a single-value condition when an attribute has multiple values causes the criteria to fail consistently.Note:
If you want to evaluate the STS SSL Client Certificate's Subject DN context value, you must select one of the ... DN conditions. These methods normalize the DN before comparison to accommodate for different string representations that are still considered equivalent (for example, case sensitivity, or whitespace).
Enter the desired (compared-to) value under Value.
Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
Enter a custom error message
under Error Result.
The Error Result field is used by the faultstring element for SOAP 1.1 and the Reason/Text element for SOAP 1.2. For more information on SOAP, see the World Wide Web Consortium's Simple Object Access Protocol (www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383507).
Using an error code in the Error Result field allows an application to process the code in a variety of ways; for example, display an error message or e-mail an administrator.If localized descriptions are required, enter a unique alias in the Error Result field (for example,
someIssuanceCriterionFailed); then insert the same alias with the desired localized text in the applicable language resource files, located in the <pf_install>/pingfederate/server/default/conf/language-packs directory.
If it not defined, PingFederate returns
ACCESS_DENIEDwhen the criterion fails at runtime.
- Click Add.
- Optional: Repeat to add multiple criteria using the user interface.
require complex evaluations, including conditional criteria or partial matching,
define them using attribute mapping expressions. (Attribute mapping expressions must be enabled.)
- Click Show Advanced Criteria.
- Enter the required expressions in the Expression field.
Enter an error code or an error message in the Error
If the expressions resolve to a string value (rather than
false), the returned value overrides the Error Result field value.
- Click Add.
- Optional: Click Test, enter values in the applicable fields, and verify the result meets your expectation.
- Optional: Repeat to add multiple criteria using attribute mapping expressions.