You can create and manage authentication applications that use the authentication API.
Authentication applications display user interfaces to collect credentials when authentication is completed through the PingFederate authentication API. The default authentication application is used for authentication sources that support the authentication API functionality and are invoked directly, rather than as part of an authentication policy.
- To manage authentication applications, go to .
To toggle the availability of authentication API support, select or clear the
Enable Authentication API check box.
The Enable API Explorer, Restrict Access to Redirectless Mode, and Include Request Context in API Responses check boxes are applicable and shown if the Enable Authentication API check box is selected.
Enable API Explorer
PingFederate includes an API Explorer that allows you to view the states, actions, and models available for the various API-capable adapters and selectors included in your PingFederate environment.
The endpoint for the Authentication API Explorer is
/pf-ws/authn/explorer. For more information, see Exploring the authentication API.
This check box is enabled by default.
Restrict Access to Redirectless Mode
It is strongly recommended to enable the Restrict Access to Redirectless Mode setting. If it is not enabled, authentication applications can use a user's existing session to obtain tokens for any public client defined in the deployment, that is any client with no authentication method defined.
Enabling Restrict Access to Redirectless Mode ensures that authentication applications can only obtain tokens for the client specified in the application's settings. When you enable this setting, make sure to update authentication applications that use redirectless mode and specify the client that they are allowed to use.
For more information on how to allow highly-trusted authentication applications to employ the PingFederate Authentication API, see Configuring authentication applications.
Restrict Access to Redirectless Mode is enabled by default.
Include Request Context in API Responses
To pass single sign-on (SSO) request context parameters and tracked parameters to authentication applications, select the Include Request Context in API Responses check box.
Enabling this feature allows authentication API clients to use the context of SSO requests to make decisions and change branding. When enabled, the authentication API response includes the requestContext parameter of type Map. The following parameters are included when they are relevant to the SSO transaction:
- The ID of the identity provider (IdP) adapter or the authentication selector
- The ID of the service provider (SP) connection used in the SSO transaction
- The name of the SP connection or OAuth client used in the SSO transaction
- The ID of the OAuth client used in the SSO transaction
- The ID of the SP adapter used in the SSO transaction
- The OIDC
- An array of the tracked HTTP parameters passed when processing authentication policies
- Passes defined extended properties to all applicable velocity templates and as a request context parameter in the authentication API
Except for tracked HTTP parameters, these parameters do not include sensitive information. Whether tracked HTTP parameters include sensitive information depends on which parameters you choose to track in policies. For information about configuring tracked HTTP parameters, see Defining authentication policies.
In the Default Authentication Application section, perform
any of the following actions.
Default Authentication Application
Select an application from the list to designate as the default authentication application.
Click to open a pop-up window listing the configurations in which the authentication is used.Note:
This is only available for the default authentication application.
Add Authentication Application
Click to add a new authentication application. See Configuring authentication applications.
Click to remove an authentication application.
- Click Save.