You can configure authentication policies to use incoming user identifiers at request time.
Some authentication sources make use of a user identifier at request time. For example:
- The PingID Adapter requires a user ID to be passed in from an earlier-authentication step to perform multi-factor authentication.
- The HTML Form Adapter and custom IdP adapters developed using the
IdpAuthenticationAdapterV2
interface from the PingFederate SDK can pre-populate username information based on an incoming user ID. - A SAML 2.0 identity provider (IdP) connection can use an incoming ID to specify the Subject value in its authentication requests.
- An OpenID Connect IdP connection can leverage an incoming user ID to specify a login_hint parameter value in its OAuth authorization requests.
To address these use cases, specify the source and the attribute of the incoming user ID in an authentication policy.
You can select any IdP adapter instance or IdP connection that has been placed in the same policy path ahead of the current authentication source to be the source of the incoming user ID. After you select a source, choose an attribute from the selected IdP adapter contract or IdP connection. At runtime, the attribute value becomes the incoming user ID.
Alternatively, you can use the originating SAML 2.0, WS-Federation, or OpenID Connect authentication request as the source. In this scenario, the incoming user ID is derived from the Subject element in a SAML 2.0 authentication request, the username parameter in a WS-Federation authentication request, or the login_hint parameter in an OpenID Connect authentication request.