The HTTP Header Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found in a specified HTTP header.
Use this selector in one or more authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple HTML Form Adapters or between a Kerberos Adapter and an X.509 Adapter. For example, use this selector to choose an authentication source based on the user's browser identified by the User-Agent HTTP header.
We do not recommend using this selector to determine whether, or not, an authentication source with a higher level of assurance should be bypassed because HTTP request headers could potentially be forged.
- Click Manage Authentication Selector Instances screen. to open the
- On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
- On the Type screen, configure the basics of this authentication selector instance.
On the Authentication Selector screen, click
Add a new row to 'Results', enter an expression for
use when inspecting the HTTP header value of the target HTTP header under
Match Expression, and click
Wildcard entries are allowed; for example,
Repeat the previous step to add more expressions.
Display order does not matter.
Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.
Enter the type of HTTP header you want the selector to inspect in the
Header Name field.
This field is not case-sensitive.
Clear the Case-Sensitive Matching check box to disable
case-sensitive matching between the HTTP header values from the requests and the
Match Expression values specified on this
The Case-Sensitive Matching check box is selected by default.
To complete the configuration:
- Click Done on the Summary screen.
- Click Save on the Manage Authentication Selector Instances screen.
When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the value of the specified HTTP header matches one of the configured values, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the value of the specified HTTP header matches none of the configured values, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.
To detect the most common browsers based on the User-Agent HTTP request header, configure an HTTP Header Authentication Selector instance as follows.
- Enter these entries under Match Expression.
Browser Expression Chrome
*MSIE*Tip: For more information, see User-agent string changes from Microsoft (msdn.microsoft.com/library/hh869301.aspx).
User-Agentin the Header Name field.