Configuring the OAuth Scope Authentication Selector - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

The OAuth Scope Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS).

Go to System > OAuth Settings > Authorization Server Settings and configure one or more scopes.

This selector allows you to control the strength of authentication based on client access requirements. For example, if a client requires write access to a resource, you can deploy an instance of the OAuth Scope Authentication Selector in one or more authentication policies to choose an adapter that offers a stronger form of authentication, such as the X.509 client certificate, instead of username and password.

  1. Go to Authentication > Policies > Selectors to open the Selectors window.
  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
  3. On the Type tab, configure the basics of this authentication selector instance.
  4. On the Authentication Selector tab, select the required scopes, scope groups, or both.
    Note:

    Both common and exclusive scopes are available for selection.

    Important:

    This selector matches only scopes from OAuth authorization requests to the authorization endpoint, /as/authorization.oauth2. SAML single sign-on (SSO) requests do not match this authentication selector's criteria and result in a returned result value of No. If you are using this selector and selectors specific to SAML connections, list this selector first in the mapping list so that it takes precedence for OAuth without disrupting selector logic on SAML connections.

  5. Complete the configuration.
    1. On the Summary tab, click Done.
    2. On the Selectors window, click Save.

When you mark this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the requested scopes satisfy all the selected scopes, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the requested scopes do not satisfy all the selected scopes, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.