The Session Authentication Selector enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source.

  1. Click Identity Provider > Selectors to open the Manage Authentication Selector Instances screen.
  2. On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
  3. On the Type screen, configure the basics of this authentication selector instance.
  4. On the Authentication Selector screen, click Add a new row to 'Authentication Sources', select an IdP adapter instance or an IdP connection from the list, enter a value under Result Value for the selected authentication source; then click Update.
    The Result Value field controls the label shown for the policy path created by the selected authentication source.
    Note:

    Authentication sessions must be enabled for the selected authentication source (or globally for all authentication sources) on the Sessions screen. Click Manage Sessions to review and configure authentication sessions.

  5. Optional: Repeat the previous step to add more authentication sources.
    Display order might matter.

    When you place this selector instance as a checkpoint in an authentication policy, each selector result value forms a policy path. The display order of the resulting policy paths matches the display order here, which may impact the policy outcome. When the policy engine reaches this selector instance, the selector starts from top to bottom; it exits and returns true as soon as it finds a match.

    As needed, use the up and down arrows to re-arrange the display order here, which also re-prioritizes the resulting policy paths.

    In addition, when no session exists for any of the defined sources, the result value for the first authentication source is returned unless the Enable 'No Session' Result Value check box is selected, in which case an additional policy path is added as the last path when this selector instance is placed as a checkpoint in an authentication policy.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.

  6. Optional: Select the Enable 'No Session' Result Value check box to create a separate policy path for the scenario where no session exists for any of the defined sources.
    This check box is not selected by default.
  7. To complete the configuration:
    1. Click Done on the Summary screen.
    2. Click Save on the Manage Authentication Selector Instances screen.

When you place this selector instance as a checkpoint in an authentication policy, each selector result value forms a policy path that you can define the desired authentication experience and requirements.

Example

The following screen capture illustrates a configuration where three authentication sources are defined and the Enable 'No Session' Result Value check box is selected.

A screen capture illustrating that a configuration where two authentication sources are defined and the Enable 'No Session' Result Value check box is selected.

When this selector instance (named Intranet sessions) is placed in a policy, four policy paths are formed.

A screen capture illustrating three policy paths.