The OAuth Scope Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS).

This selector allows you to control the strength of authentication based on client access requirements. For example, if a client requires write access to a resource, you can deploy an instance of the OAuth Scope Authentication Selector in one or more authentication policies to choose an adapter that offers a stronger form of authentication such as the X.509 client certificate rather than username and password.

Note:

Configure one or more scopes in OAuth Server > Authorization Server Settings screen if you have not already done so.

  1. Click Identity Provider > Selectors to open the Manage Authentication Selector Instances screen.
  2. On the Manage Authentication Selector Instances screen, click Create New Instance to start the Create Authentication Selector Instance configuration wizard.
  3. On the Type screen, configure the basics of this authentication selector instance.
  4. On the Authentication Selector screen, select the required scopes, scope groups, or both.

    Both common and exclusive scopes are available for selection.

    Important:

    This selector matches only scopes from OAuth authorization requests to the authorization endpoint (/as/authorization.oauth2). SAML SSO requests do not match this authentication selector's criteria and result in a returned result value of No. Therefore, if you are using this selector and selectors specific to SAML connections, place this selector first in the mapping list so that it takes precedence for OAuth without disrupting selector logic on SAML connections.

  5. To complete the configuration:
    1. Click Done on the Summary screen.
    2. Click Save on the Manage Authentication Selector Instances screen.

When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the requested scopes satisfy all the selected scopes, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the requested scopes do not satisfy all the selected scopes, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.