Configuring the Requested AuthN Context Authentication Selector - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

The Requested AuthN Context Authentication Selector enables PingFederate to choose configured authentication sources or other selectors.

This selector chooses authentication sources or selectors based on the authentication contexts requested by a service provider (SP)service provider (SP)SP In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource.) for browser single sign-on (SSO)single sign-on (SSO)sso The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating. requests, or a relying party (RP)relying party (RP)RP An OAuth 2.0 client that requires end-user's authenticity and claims (attributes) from an OpenID provider. for OAuth with OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. use cases in authentication policies.

For browser SSO, this authentication selector works in conjunction with SP connections with SAMLSAML (Security Assertion Markup Language) A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains. 2.0 only, using the SP-initiated SSO profile. Other browser SSO protocols do not support authentication context. For OAuth, clients supporting the OIDC protocol must include the optional acr_values parameter in their authorization requests to indicate their preferred authentication context, or contexts.

  1. Go to Authentication > Policies > Selectors to open the Selectors window.
  2. On the Selectors window, click Create New Instance to start the Create Authentication Selector Instance workflow.
  3. On the Type tab, configure the basics of this authentication selector instance.
  4. On the Authentication Selector tab, configure the applicable selector instance settings:
    1. Select the Add or Update AuthN Context Attribute check box if you want to update the authentication context attribute value with the value specified in the Selector Result Values tab.

      When selected, which is the default, the check box on this window provides a means to:

      • Add the value of the authentication context determined by the selector into the SAML assertion.
      • When applicable, replace any value returned from the associated adapter instance with the selector result value.
    2. Optional: Select the Override AuthN Context for Flow check box to allow the authentication selector result value to override the authentication context value for the entire policy flow.
      Note:

      This check box is only available when the Add or Update AuthN Context Attribute check box is selected.

      When selected, which is the default for fresh installations, the selector result will determine the authentication context value for the entire flow and override any subsequently invoked authentication sources and their authentication context values. This authentication selector result value takes precedence and determines the authorization context in the outgoing assertion or ID token.

    3. Optional: Enable policy paths to handle additional scenarios.

      For more information, refer to the following table.

      Field Description

      Enable 'No Match' Result Value

      Selector evaluation fails and the next applicable authentication policy is executed if the requested authentication context does not match any of the configured selector result values.

      Select this check box if you want to enable a policy path to handle this scenario. This check box is not selected by default.

      Enable 'Not in Request' Result Value

      Selector evaluation fails and the next applicable authentication policy is executed if no requested authentication context is found.

      Select this check box if you want to enable a policy path to handle this scenario. This check box is not selected by default.

  5. In the Selector Result Values window, specify the authentication contexts to use as the criteria:
    1. Enter the exact, case-sensitive parameter value under Result Values, and then click Add.
      Note:

      The value can include URIs defined in Authentication Context for the OASIS Security Assertion Markup Language (SAML) 2.0 or any other value agreed upon with the partner.

    2. Optional: Add more values to differentiate criteria for authentication selection.

      Display order does not matter.

      Each selector result value forms a policy path when you place this selector instance as a checkpoint in an authentication policy (regardless of whether you have enabled the No Match or Not in Request policy path in step 4b).

      Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

  6. Complete the configuration.
    1. On the Summary tab, click Done.
    2. On the Selectors window, click Save.