You must define certain criteria for contract or local identity mapping in PingFederate to process a request.
On the Issuance Criteria tab, define the criteria to satisfy in order for PingFederate to further process a request. Use this token authorization feature to conditionally approve or reject requests based on individual attributes.
Begin this optional configuration by choosing the source that contains the attribute to verify. Some sources are common to almost all use cases, such as Mapped Attributes. Other sources depend on the type of configuration, such as JDBC. Irrelevant sources are automatically hidden. Once you select a source, choose the attribute to verify. Depending on the selected source, the available attributes or properties vary. Specify the comparison condition and the desired value to compare to.
You can define multiple criteria, which must all be satisfied in order for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches or does not match the specified value, depending on the chosen comparison method. The multi-value contains ... or multi-value does not contain ... comparison methods are intended for attributes that can contain multiple values. Such a criterion is considered satisfied if one of the multiple values match or does not match the specified value. Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
All criteria defined must be satisfied, or evaluated as true, for a request to move forward, regardless of how the criteria were defined. As soon as one criterion fails, PingFederate rejects the request and returns an error message.
From the Source list,
select the attribute's source.
Depending on the selection, the Attribute Name list populates with associated attributes. See the following table for more information.
Source Description Adapter Select to evaluate attributes from any preceding IdP adapter instance. IdP Connection Select to evaluate attributes from any preceding IdP connection. Local Identity Select to evaluate any local identity fields.
Not applicable for the Contract Mapping configuration.
JDBC, LDAP, or other types of datastore (if configured) Select to evaluate attributes returned from a data source. Mapped Attributes Select to evaluate the mapped attributes. Tracked HTTP Parameters Select to evaluate tracked request parameters.
Visible and applicable only if at least one HTTP request parameter has been configured on the Tracked HTTP Parameters tab of the Policies window. For more information, see Policies.
- From the Attribute Name list, select the attribute to be evaluated.
From the Condition
list, select the comparison method.
- equal to
- equal to (case insensitive)
- equal to DN
- not equal to
- not equal to (case insensitive)
- not equal to DN
- multi-value contains
- multi-value contains (case insensitive)
- multi-value contains DN
- multi-value does not contain
- multi-value does not contain (case insensitive)
- multi-value does not contain DN
The first six conditions are intended for single-value attributes. Use one of the multi-value ... conditions for PingFederate to validate whether one of the attribute values matches the specified value. When an attribute has multiple values, using a single-value condition causes the criteria to fail.
In the Value field, enter the comparison value.
Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions. For more information, see Attribute mapping expressions.
In the Error Result
field, enter a custom error message.
To use localized descriptions, enter a unique alias in the Error Result field, such as someIssuanceCriterionFailed. Insert the same alias with the desired localized text in the applicable language resource files, located in the <pf_install>/pingfederate/server/default/conf/language-packs directory.
If not defined, PingFederate returns ACCESS_DENIED when the criterion fails at runtime.
- Click Add.
- Optional: Repeat to add more criteria.
require complex evaluations, including conditional criteria or partial matching,
define them using attribute mapping expressions. For more information, see Attribute mapping expressions.
- Click Show Advanced Criteria.
- In the Expression field, enter the required expressions.
In the Error Result field, enter an error code or
If the expressions resolve to a string value instead of
false, the returned value overrides the Error Result field value.
- Click Add.
- Optional: Click Test, enter values in the applicable fields, and verify the results.
- Optional: Repeat to add multiple criteria using attribute mapping expressions.