An authentication policy contract can harness attribute values obtained from all authentication sources along the path leading up to it. Administrators can select the same authentication policy contract or local identity profile for different closed-ended paths (in one or more authentication policies) and fulfill them differently to suit the requirements. To enforce the same set of authentication policies in multiple use cases, map the authentication policy contract to the applicable Browser SSO connections and OAuth grant-mapping configuration.

To apply an authentication policy contract to a policy, select an authentication policy contract or a local identity profile as the last action of one or more closed-ended paths and configure fulfillment for each contract.

  1. On the Authentication Policies screen, select the applicable authentication policy.
  2. On the Policy screen, locate all closed-ended paths in the policy.

    A policy path is closed-ended if it contains one or more authentication sources (with or without any selector instances). A closed-ended path can optionally end with an authentication policy contract or a local identity profile.

    Note:

    A policy path is also closed-ended if it ends with an instance of a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection. Because the custom selector returns an authentication source, such closed-ended path cannot end with an authentication policy contract or a local identity profile. (Instead, it must end with an action of Done or Restart.)

    Consider the following sample policy:

    A sample policy with four closed-ended paths and one open-ended path

    This policy has two selector instances (Test and Retail), two IdP adapter instances, and five policy paths:

    • Test > No > HTML Form > Fail
    • Test > No > HTML Form > Success > Retail > No
    • Test > No > HTML Form > Success > Retail > Yes > PingID > Fail
    • Test > No > HTML Form > Success > Retail > Yes > PingID > Success
    • Test > Yes

    The first four paths are closed-ended while the last path is open-ended.

  3. Select Done as the policy action for the following paths:
    • Test > No > HTML Form > Fail
    • Test > No > HTML Form > Success > Retail > Yes > PingID > Fail

    At runtime, PingFederate terminates the request and returns an error message to the user.

  4. Select the applicable authentication policy contract or local identity profile as the policy action for the rest of the closed-ended paths, namely:
    • Test > No > HTML Form > Success > Retail > No
    • Test > No > HTML Form > Success > Retail > Yes > PingID > Success

    Suppose your use case does not involve consumer authentication, registration, and profile management. It makes sense to select an authentication policy contract for the PingID > Success result, because the users have successfully met all your authentication requirements.

    At runtime, PingFederate fulfills the authentication policy contract and carries on with the request.

    Depending on your use case, you may also select an authentication policy contract for the PingID > Fail result, possibly with an attribute indicating that the users have failed a certain part of your authentication requirements, and make other authorization decision using the Token Authorization framework in the applicable connections later.

  5. For each selected authentication policy contract (if any), click Contract Mapping and then follow the Manage Authentication Policies > Authentication Policy Contract Mapping wizard to complete the configuration (see Configuring contract mapping).
  6. For each selected local identity profile (if any), click Local Identity Mapping and then follow the Manage Authentication Policies > Inbound Mapping & Contract Fulfillment wizard to complete the configuration (see Configuring local identity mapping).
  7. Select Continue as the policy action for the open-ended path Test > Yes.

    At runtime, PingFederate skips to the next policy.

    Your policy should be similar to the following sample:

    A sample policy with four closed-ended paths and one open-ended path
  8. Click Done to close the Policy screen.
  9. On the Authentication Policies screen, click Save.