You can configure a service provider (SP) authentication policy to enforce authentication requirements for an identity provider (IdP) connection.
- An SP adapter instance deployed, configured, and integrated with the target application.
- An IdP connection to the partner. For more information, seestep 1.
- An IdP connection to the third-party IdP that facilitates the multifactor authentication process. For more information, seestep 2.
- An authentication policy contract to carry user attributes from the partner to the target application. For more information, see step 3.
- An SP authentication policy. For more information, see step 4 and step 7.
- An adapter mapping between the authentication policy contract and the applicable SP adapter instance. For more information, see step 5.
- An SP-initiated single sign-on (SSO) URL. For more information, see step 6.
In this example, you want to create an IdP connection to Alpha, which passes two attributes in its assertions, SAML_SUBJECT and samlEmail, on your PingFederate SP server. You also want to enforce multi-factor authentication (MFA) for users from Alpha through Bravo, a third-party IdP that returns only the SAML_SUBJECT attribute and requires a user ID to be passed in from the original source. Both Alpha and Bravo support SAML 2.0 and only the SP-initiated single sign-on (SSO) profile.
Create an SP adapter instance using the Sample and sample
, respectively. On , the base URL for your PingFederate SP server is
https://sso.xray.local:9031
. There are no other IdP connections
besides those required to connect with Alpha and Bravo.