Managing authentication applications - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

You can create and manage authentication applications that use the authentication API.

Authentication applications display user interfaces to collect credentials when authentication is completed through the PingFederate authentication API. The default authentication application is used for authentication sources that support the authentication API functionality and are invoked directly, rather than as part of an authentication policy.

  1. To manage authentication applications, go to Authentication > Integration > Authentication API Applications.
    Screenshot of the Authentication API Applications window
  2. To toggle the availability of authentication API support, select or clear the Enable Authentication API check box.
    Note:

    The Enable API Explorer, Restrict Access to Redirectless Mode, and Include Request Context in API Responses check boxes are applicable and shown if the Enable Authentication API check box is selected.

    OptionDescription

    Enable API Explorer

    PingFederate includes an API Explorer that allows you to view the states, actions, and models available for the various API-­capable adapters and selectors included in your PingFederate environment.

    The endpoint for the Authentication API Explorer is /pf-ws/authn/explorer. For more information, see Exploring the authentication API.

    This check box is enabled by default.

    Restrict Access to Redirectless Mode

    It is strongly recommended to enable the Restrict Access to Redirectless Mode setting. If it is not enabled, authentication applications can use a user's existing session to obtain tokens for any public client defined in the deployment, that is any client with no authentication method defined.

    Enabling Restrict Access to Redirectless Mode ensures that authentication applications can only obtain tokens for the client specified in the application's settings. When you enable this setting, make sure to update authentication applications that use redirectless mode and specify the client that they are allowed to use.

    For more information on how to allow highly-trusted authentication applications to employ the PingFederate Authentication API, see Configuring authentication applications.

    Restrict Access to Redirectless Mode is enabled by default.

    Include Request Context in API Responses

    To pass single sign-on (SSO) request context parameters and tracked parameters to authentication applications, select the Include Request Context in API Responses check box.

    Enabling this feature allows authentication API clients to use the context of SSO requests to make decisions and change branding. When enabled, the authentication API response includes the requestContext parameter of type Map. The following parameters are included when they are relevant to the SSO transaction:

    pluginId
    The ID of the identity provider (IdP) adapter or the authentication selector
    entityId
    The ID of the service provider (SP) connection used in the SSO transaction
    applicationName
    The name of the SP connection or OAuth client used in the SSO transaction
    client_id
    The ID of the OAuth client used in the SSO transaction
    spAdapterId
    The ID of the SP adapter used in the SSO transaction
    oidcUiLocales
    The OIDC ui_locales
    trackedHttpParams
    An array of the tracked HTTP parameters passed when processing authentication policies
    extendedProperties
    Passes defined extended properties to all applicable velocity templates and as a request context parameter in the authentication API
    Note:

    Except for tracked HTTP parameters, these parameters do not include sensitive information. Whether tracked HTTP parameters include sensitive information depends on which parameters you choose to track in policies. For information about configuring tracked HTTP parameters, see Defining authentication policies.

  3. In the Default Authentication Application section, perform any of the following actions.
    OptionAction

    Default Authentication Application

    Select an application from the list to designate as the default authentication application.

    Check Usage

    Click to open a pop-up window listing the configurations in which the authentication is used.

    Note:

    This is only available for the default authentication application.

    Add Authentication Application

    Click to add a new authentication application. See Configuring authentication applications

    .

    Delete

    Click to remove an authentication application.

  4. Click Save.