An authentication policy contract can harness attribute values obtained from all authentication sources along the path leading up to it. Administrators can select the same authentication policy contract or local identity profile for different closed-ended paths (in one or more authentication policies) and fulfill them differently to suit the requirements. To enforce the same set of authentication policies in multiple use cases, map the authentication policy contract to the applicable Browser SSO connections and OAuth grant-mapping configuration.
To apply an authentication policy contract to a policy, select an authentication policy contract or a local identity profile as the last action of one or more closed-ended paths and configure fulfillment for each contract.
- On the screen, select the applicable authentication policy.
On the paths in
screen, locate all closed-ended
A policy path is closed-ended if it contains one or more authentication sources (with or without any selector instances). A closed-ended path can optionally end with an authentication policy contract or a local identity profile.Note:
A policy path is also closed-ended if it ends with an instance of a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection. Because the custom selector returns an authentication source, such closed-ended path cannot end with an authentication policy contract or a local identity profile. (Instead, it must end with an action of Done or Restart.)
Consider the following sample policy:
This policy has two selector instances (Test and Retail), two IdP adapter instances, and five policy paths:
The first four paths are closed-ended while the last path is open-ended.
Select Done as the policy action for the following
At runtime, PingFederate terminates the request and returns an error message to the user.
Select the applicable authentication policy contract or local identity profile
as the policy action for the rest of the closed-ended paths,
Suppose your use case does not involve consumer authentication, registration, and profile management. It makes sense to select an authentication policy contract for theresult, because the users have successfully met all your authentication requirements.
At runtime, PingFederate fulfills the authentication policy contract and carries on with the request.
Depending on your use case, you may also select an authentication policy contract for theresult, possibly with an attribute indicating that the users have failed a certain part of your authentication requirements, and make other authorization decision using the Token Authorization framework in the applicable connections later.
- For each selected authentication policy contract (if any), click Contract Mapping and then follow the wizard to complete the configuration (see Configuring contract mapping).
- For each selected local identity profile (if any), click Local Identity Mapping and then follow the wizard to complete the configuration (see Configuring local identity mapping).
Select Continue as the policy action for the open-ended
At runtime, PingFederate skips to the next policy.
Your policy should be similar to the following sample:
- Click Done to close the Policy screen.
- On the Save. screen, click