PingFederate can evaluate various criteria to determine whether users are authorized to access service provider (SP) resources.
On the Issuance Criteria tab, define the criteria that must be satisfied in order for PingFederate to process a request further. This token authorization feature provides the capability to conditionally approve or reject requests based on individual attributes.
Begin this optional configuration by adding a criterion. Choose the source that contains the attribute to be verified. Some sources, such as Mapped Attributes, are common to almost all use cases. Other sources, such as JDBC, depend on the type of configuration. Irrelevant sources are automatically hidden. After you select a source, choose the attribute to be verified. Depending on the selected source, the available attributes or properties vary. Finally, specify the comparison method and the desired, compared-to, value.
If you define multiple criteria, all criteria must be satisfied for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches or does not match the specified value depending on the chosen comparison method. The multi-value contains and multi-value does not contain comparison methods are intended for attributes that might contain multiple values. Such criterion is considered satisfied if one of the multiple values matches or does not match the specified value. Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
When you multiplex one connection for multiple environments, consider using attribute mapping expressions to verify the virtual server ID in conjunction with other conditions, such as group membership information, to protect against unauthorized access. For more information, see Multiple virtual server IDs and Issuance criteria and multiple virtual server IDs.
All criteria defined must be satisfied or evaluated as true for a request to move forward. As soon as one criterion fails, PingFederate rejects the request and returns an error message.