The selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between the client information in an OAuth request and the OAuth clients configured in the PingFederate OAuth authorization server (AS).

Note:

The OAuth Client Set Authentication Selector is only applicable to OAuth clients using the authorization code or implicit flow.

  1. Go to Authentication > Policies > Selectors to open the Selectors window.
  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
  3. On the Type tab, configure the basics of this authentication selector instance.
  4. On the Authentication Selector tab, click Add a new row to 'Clients'.
    Note:

    If you do not see Add a new row to 'Clients', go back to the Type tab and ensure you have selected OAuth Client Set Authentication Selector from the Type list.

  5. From the Client ID list, select an OAuth client and click Update.
  6. Optional: Repeat the previous step to add more clients.

    Display order does not matter.

    Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

  7. Complete the configuration.
    1. On the Summary tab, click Done.
    2. On the Selectors window, click Save.

When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: Yes and No. If the invoking client matches one of the clients from the set, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of Yes. If the invoking client matches none of the clients from the set, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of No.