Make sure that you have configured at least two policy contracts to function as input and output contracts.
  1. In the Name field, type a name for the policy fragment.
  2. Optional: Change the identifier for the fragment. This ID will be used to reference input and output attributes in the advanced Expressions fulfillment option. It cannot be changed after the fragment has been created.
  3. Optional: Type a description for the fragment.
  4. From the Inputs list, select the input authentication policy contract that calling members will need to fulfill. The attributes contained in the contract will be available for use throughout the policy.
  5. From the Outputs list, select the output authentication policy contract that this fragment will fulfill. Calling members will be able to use the values of the attributes contained in the output policy contract.
  6. From the Policy list, select an IdP adapter, an IdP connection, a selector, or a fragment. (Detailed policy configuration instructions are provided in step 5 in Defining authentication policies.)

    As of PingFederate 10.2, you can select Fragments as the policy action and then select a policy fragment that you have created. When you select a fragment, click Fragment Mapping and use the in-product help links to access the topics that describe how to configure the mapping.

    1. Click Options, and select the source and the attribute to be used as the incoming user ID.
    2. Click Rules, and define authentication policy rules using attributes from the previous authentication source.
    3. Configure Fail and Success paths. For a fragment to succeed, you must map it into a LIP or APC based on the output contract. You can also use a fragment in a calling policy and set both of the fragment's exit Fail/Success nodes to Done.
  7. When you have completed the fragment's configuration, click Save.