To apply an authentication policy contract to a policy, select an authentication policy contract or a local identity profile as the last action of one or more closed-ended paths and configure fulfillment for each contract.
An authentication policy contract can harness attribute values obtained from all authentication sources along the path leading up to it. Administrators can select the same authentication policy contract or local identity profile for different closed-ended paths, in one or more authentication policies, and fulfill them differently to suit the requirements. To enforce the same set of authentication policies in multiple use cases, map the authentication policy contract to the applicable Browser SSO connections and OAuth grant-mapping configuration.
- Go to Policies window, select the applicable authentication policy. . On the
On the Policy window, locate all closed-ended paths in the policy.
A policy path is closed-ended if it contains one or more authentication sources, with or without any selector instances. A closed-ended path can optionally end with an authentication policy contract or a local identity profile.Note:
A policy path is also closed-ended if it ends with an instance of a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection. Because the custom selector returns an authentication source, such a closed-ended path cannot end with an authentication policy contract or a local identity profile. Instead, it must end with an action of Done or Restart.
Consider the following sample policy.
This policy has two selector instances, Test and Retail, two identity provider (IdP) adapter instances, and five policy paths:
The first four paths are closed-ended while the last path is open-ended.
Select Done as the policy action for the following paths:
At runtime, PingFederate terminates the request and returns an error message to the user.
Select the applicable authentication policy contract or local identity profile as
the policy action for the rest of the closed-ended paths:
Suppose your use case does not involve consumer authentication, registration, and profile management. It makes sense to select an authentication policy contract for theresult, because the users have successfully met all your authentication requirements.
At runtime, PingFederate fulfills the authentication policy contract and carries on with the request.
Depending on your use case, you might also select an authentication policy contract for theresult, possibly with an attribute indicating that the users have failed a certain part of your authentication requirements, and make other authorization decision using the Token Authorization framework in the applicable connections later.
- For each selected authentication policy contract, if any, click Contract Mapping and then complete the workflow to complete the configuration. For more information, see Configuring contract mapping.
- For each selected local identity profile, if any, click Local Identity Mapping and then complete the workflow to complete the configuration. For more information, see Configuring local identity mapping.
Select Continue as the policy action for the open-ended
At runtime, PingFederate skips to the next policy. Your policy should be similar to the following sample.
- To close the Policy window, click Done.
- On the Policies window, click Save.