Configuring the Extended Property Authentication Selector - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

The Extended Property Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between a selector result value and an extended property value from the invoking browser-based SSO connections or OAuth client.

  1. Go to Authentication > Policies > Selectors to open the Selectors window.
  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
  3. On the Type tab, configure the basics of this authentication selector instance.
  4. On the Authentication Selector tab, select a property from the Extended Property list.
    Note:

    The extended property is the property that this selector instance should look for from the invoking connection or client, and compare the populated property value, or values if it is a multivalued extended property, against the selector result values defined in this selector instance.

  5. On the Selector Result Values tab, specify one or more expected result values.
    1. Enter the exact, case-sensitive, value under Result Values and click Add.
    2. Optional: Add more values to differentiate criteria for authentication selection.

      Display order might matter.

      Expected result values are always sorted alphabetically in ascending order here.

      When you place this selector instance as a checkpoint in an authentication policy, each selector result value forms a policy path. The display order of the resulting policy paths matches the display order here, which may impact the policy outcome. When the policy engine reaches this selector instance, the selector starts from top to bottom. As soon as it finds a match, it exits and returns true. The matching mechanism varies, depending on the type of the extended property selected in step 4.

      Matching mechanism for single-value extended properties
      The selector compares the property value populated in the invoking connection or client against the configured selector result value. When multiple selector result values exist, the selector starts from the top. If the current selector result value is a case-sensitive exact match, it returns true and exits. Otherwise, it moves on to the next selector result value and tries again.
      For example, assume this selector instance, named ExtProps, is configured with expected result values of Alpha, Bravo, and Charlie. The invoking connection is populated with an extended property value of Bravo, and this selector instance is placed as a checkpoint in an authentication policy as follows.
      ExtProps
      +--Alpha
      |  <policy path>
      |
      +--Bravo
      |  <policy path>
      |
      +--Charlie
         <policy path>
      Given this setup, the selector returns true and exits when it reaches the second selector result value. The policy engine regains control of the request and proceeds with the policy path configured for the selector result value of Bravo.
      Matching mechanism for multivalued extended properties
      The selector compares the property values populated in the invoking connection or client against the configured selector result value. If any one of the property values from the invoking connection or client is a case-sensitive exact match, the selector returns true and exits. When multiple selector result values exist, the selector starts from the top. If the current selector result value is a case-sensitive exact match to any one of the property values from the invoking connection or client, it returns true and exits. Otherwise, it moves on to the next selector result value and tries again.
      For example, assume the previous selector instance remains. The invoking connection is populated with extended property values of Alpha and Charlie, and this selector instance remains as a checkpoint in an authentication policy.
      In this scenario, the selector returns true and exits when it reaches the first selector result value. The policy engine regains control of the request and proceeds with the policy path configured for the selector result value of Alpha. Even though Charlie, the expected selector result value, is also a case-sensitive exact match to Charlie, one of the property values from the invoking connection, because the selector has already exited and returned control to the policy engine when it reaches Alpha, the policy engine will never execute the policy path configured for the selector result value of Charlie.

      Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

  6. Complete the configuration.
    1. On the Summary tab, click Done.
    2. On the Selectors window, click Save.
  1. Go to System > Server > Extended Properties.
  2. On the Extended Propertieswindow, define a multivalued extended property, and name it configStatus.
  3. Create an SP connection with the following characteristics:
    • On the Extended Properties window, add two values for the configStatus extended property: DEV and TEST.
    • On the Attribute Source Mapping window, map an authentication policy contract to the service provider (SP) connection. The policy contract name is APC.
  4. Create an instance of the Extended Property Authentication Selector with the following characteristics:
    • On the Type tab, name the selector instance ExProps.
    • On the Authentication Selector tab, select configStatus from the list.
    • On the Selector Result Values tab, enter DEV and TEST.
  5. Create and activate the following identity provider (IdP) authentication policy.
    ExtProps
    +--DEV
    |  OpenToken
    |  +--Fail: Done
    |  +--Success: APC
    |
    +--TEST
       HTML
       +--Fail: Done
       +--Success: APC

    Configure each APC to fulfill values obtained from its preceding adapter instance.

When processing SSO requests intended for this SP connection, because the policy engine is able to match one of the populated property values, DEV, from the SP connection to the first selector result value, also DEV, it will always invoke the OpenToken IdP Adapter instance based on the DEV policy path. The TEST policy path is never executed for this SP connection.

On the other hand, if you remove DEV, an extended property value, from the SP connection, the policy engine will route SSO requests intended for this SP connection to the HTML Form Adapter instance based on the TEST policy path. The DEV policy path is never executed for this SP connection.