Configuring the HTTP Header Authentication Selector - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

The HTTP Header Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found in a specified HTTP header.

Use this selector in one or more authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple HTML Form Adapters or between a Kerberos Adapter and an X.509 Adapter. For example, use this selector to choose an authentication source based on the user's browser identified by the User-Agent HTTP header.

Important:

Do not use this selector to determine whether an authentication source with a higher level of assurance should be bypassed because HTTP request headers could potentially be forged.

  1. Go to Authentication > Policies > Selectors to open the Selectors window.
  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
  3. On the Type tab, configure the basics of this authentication selector instance.
  4. On the Authentication Selector tab, click Add a new row to 'Results'.
  5. Enter an expression for use when inspecting the HTTP header value of the target HTTP header under Match Expression, and click Update.
    Note:

    Wildcard entries are allowed, such as *value*.

  6. Optional: Repeat the previous step to add more expressions. Display order does not matter.
    Note:

    Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

  7. In the Header Name field, enter the type of HTTP header you want the selector to inspect. This field is not case-sensitive.
  8. Optional: To disable case-sensitive matching between the HTTP header values from the requests and the Match Expression values specified on this window, clear the Case-Sensitive Matching check box.

    The Case-Sensitive Matching check box is selected by default.

  9. Complete the configuration.
    1. On the Summary tab, click Done.
    2. On the Selectors window, click Save.

When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the value of the specified HTTP header matches one of the configured values, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the value of the specified HTTP header matches none of the configured values, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.

Example

To detect the most common browsers based on the User-Agent HTTP request header, configure an HTTP Header Authentication Selector instance as follows.

  1. Enter these entries under Match Expression.
    Browser Expression
    Chrome *Chrome*
    Firefox *Firefox*
    Internet Explorer *MSIE*
    Tip:

    For more information, see User-agent string changes from Microsoft.

    Safari *Safari*
  2. In the Header Name field, enter User-Agent.