Enabling third-party identity providers without registration - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

If you have already configured identity provider (IdP) connections or IdP adapters to connect with third-party identity providers, you can enhance the HTML Form Adapter sign-on page with the option to authenticate with these providers.

Consider the following setup that you have already made.

  • An HTML Form Adapter instance to validate local user credentials.
  • An authentication policy contract.
  • An IdP authentication policy that chains the HTML Form Adapter instance and an authentication policy contract so that the policy contract can harness attribute values returned by the HTML Form Adapter instance for multiple browser-based single sign-on (SSO) use cases via service provider (SP) connections, OAuth authorization code flow, and OAuth implicit flow. The following window capture illustrates your existing policy.
    A screen capture of the Manage Authentication Policies configuration.
This setup involves the following components:
  • IdP connections or IdP adapter instances configured to connect with your third-party identity providers
  • An authentication policy contract
  • A local identity profile
  • An HTML Form Adapter instance
  • An IdP authentication policy

You need to enhance the sign-on experience by giving users the option to authenticate using their existing accounts at ACME, a major social network. It happens that you have already established an IdP connection to this social network.

Configuration steps:

  1. Verify the IdP connection returns the attributes required to complete the browser-based SSO use cases.
    Tip:

    As needed, you can also deploy and configure Cloud Identity Connectors to support identities from Facebook, Google, LinkedIn, or Twitter.

  2. Make a note of which authentication policy contract is currently being used in your policy.
  3. Create a local identity profile using the Authentication > Policies > Local Identity Profiles configuration wizard. Click Create New Profile.
    1. On the Profile Info tab, enter a name in the Local Identity Profile Name field and from the Authentication Policy Contract, select the authentication policy from step 2. Click Next.
    2. On the Authentication Sources tab, enter ACME under Authentication Source, and then click Add. Click Done to exit the configuration window.
      Note:

      To support additional third-party identity providers, enter a value for each. At runtime, the sign-on page displays them in the order defined on this window.

  4. Configure the HTML Form Adapter instance for customer identities.
    1. Go to Integration > IdP Adapters.
    2. On the IdP Adapters window, from the Instance Name list, click the HTMLFormAdapter instance.
    3. On the IdP Adapter tab, from the Local Identity Profile list, select a local identity profile.
    4. Complete the rest of the configuration and save all changes.
  5. Modify your existing IdP authentication policy.
    1. Go to Authentication > Policies > Policies.
    2. On the Policies tab, under the Policy section, click the existing IdP policy.
    3. Click Rules under the Success path of the HTML Form Adapter instance.
    4. In the Rules dialog, create a policy path for users who choose to authenticate with ACME. For this sample use case, configure the fields as in the following table.
      Defining authentication policy rules fields and entries
      Attribute Name Condition Value Result
      policy.action equal to ACME
      Important:

      The value here must match the value defined on the Authentication Sources window. See step 3b.

      ACME users

      The Result field controls the label shown for the policy path of this rule. The value does not need to match the value defined on the Authentication Sources window.

      Important:

      If you have defined multiple third-party identity providers on the Authentication Sources tab, you must repeat these steps to add a policy.action rule to create a policy path for each.

      In addition, ensure the Default to Success check box is selected. When selected, the Success path remains, which is important for this sample use case where users can also authenticate using their local accounts.

    5. When finished, click Done. This will bring you back to the Authentication Policies window.
    6. For the ACME users path, select the IdP connection to ACME under Action.
      Tip:

      Generally speaking, any IdP adapter instance or IdP connection that connects to the third-party identity provider can be used here.

      1. For its Fail path, select Done.
        Note:

        If you have defined multiple third-party identity providers and added rules to create a policy path for each, you can select Restart. The Restart policy action provides users the opportunity to do over. When triggered, the policy engine routes the requests back to the first checkpoint of the invoked authentication policy.

        By selecting Restart for the Fail path, you give users the opportunity to choose another third-party identity provider when they fail to authenticate through ACME.

      2. For its Success path, select the local identity profile created in step 3 and then complete the Local Identity Mapping configuration.
        Note:

        Because this use case does not involve registration, the source of fulfillment is limited to the preceding IdP connection or IdP adapter instance, dynamic text, and attribute mapping expression, if enabled.

      The following screen capture illustrates your new policy.
      A screen capture of the Authentication Policies window
    7. Click Save to keep your changes.

You have now successfully added the option to authentication via ACME without enabling registration. When users sign on through this HTML Form Adapter instance, the following sign-on page is presented.

A screen capture of a sample sign-on page with an option to sign on with ACME

If you have added Facebook, Google, LinkedIn, and Twitter as the authentication sources, the following sign-on page is presented.

A screen capture of a sample sign-on page with an option to sign on with ACME and more

Users can sign on using their local accounts or third-party identity provider accounts.