An authentication source in an authentication policy has two results, Fail or Success, for which one of the following actions can be set:
- Append another authentication source for further processing
- Append a selector for further processing
- Select Done to terminate the authentication policy (making it a closed-ended path)
- Select an authentication policy contract or a local identity profile (also
terminating the authentication policy, making it a closed-ended path)Tip: A policy path is closed-ended if it contains one or more authentication sources (with or without any selector instances). A closed-ended path can optionally end with an authentication policy contract or a local identity profile.Note:
A policy path is also closed-ended if it ends with an instance of a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection. Because the custom selector returns an authentication source, such closed-ended path cannot end with an authentication policy contract or a local identity profile. (Instead, it must end with an action of Done or Restart.)
PingFederate supports more granular control through the use of rules in authentication policies. By applying multiple rules to an authentication source, an administrator can define additional (successful) results based on attribute values from the authentication source and set different action for each result.
For example, your OpenToken IdP Adapter instance returns an attribute
(EmployeeType) that identifies the employee profile; a
value of temp
indicates such user is a contractor. Your
organization mandates that all contractors must authenticate successfully against
the OpenToken IdP adapter, followed by another IdP adapter (for example, an instance
of the
PingID®
Adapter for multifactor authentication). To fulfill this authentication requirement,
you can define a successful result by adding a rule to evaluate the
EmployeeType value, and then select the PingID Adapter
instance as the action for this match.
When multiple rules exist for a given authentication source, the first match wins. If no rule returns a match, administrators have the option to treat the authentication as successful or failure.