You can configure service provider (SP) authentication policies to handle different authentication requirements for multiple identity provider (IdP) connections.
Assume you configure the following use cases in an earlier version of PingFederate:
- Two SP adapter instances on
Instance Name Instance ID Extended Contract Sample sample subject and email Sample Delta sampleDelta subject and email
. - Three entries on
URL Target Session https://sso.xray.local:9031/SpSample/MainPage?app=Alpha&* Sample https://sso.xray.local:9031/SpSample/MainPage?app=Charlie&* Sample https://sso.xray.local:9031/SpSample/MainPage?app=Delta&* Sample Delta
. - Three IdP connections to your partners.
Partner (Federation ID)
Identity Mapping Attribute Contract Target Session Mapping SP adapter instance name
(SP adapter instance ID)
Alpha (sso.alpha.local)
Account Mapping SAML_SUBJECT and samlEmail Sample (sample)
Charlie (sso.charlie.local)
Account Mapping SAML_SUBJECT and samlEmail Sample (sample)
Delta (sso.delta.local)
Account Mapping SAML_SUBJECT and samlEmail Sample Delta (sampleDelta)
In this example, all partners support SAML 2.0 and only the SP-initiated single sign-on (SSO) profile.
- SP-initiated SSO URLs for users from Alpha, Charlie, and Delta.
Partner SSO URL Alpha https://sso.xray.local:9031/sp/startSSO.ping?PartnerIdpId=sso.alpha.local&TargetResource=https%3A%2F%2Fsso.xray.local%3A9031%2FSpSample%2FMainPage%3Fapp%3DAlph%26t%3Daa Charlie https://sso.xray.local:9031/sp/startSSO.ping?PartnerIdpId=sso.charlie.local&TargetResource=https%3A%2F%2Fsso.xray.local%3A9031%2FSpSample%2FMainPage%3Fapp%3DCharlie%26t%3Dc Delta https://sso.xray.local:9031/sp/startSSO.ping?PartnerIdpId=sso.delta.local&TargetResource=https%3A%2F%2Fsso.xray.local%3A9031%2FSpSample%2FMainPage%3Fapp%3DDelta%26t%3Dd
- Create new IdP connections to three new partners: Echo, Foxtrot and Golf.
- Enforce multi-factor authentication (MFA) for users from Alpha, Charlie, Echo,
and Golf through Bravo.
Bravo requires a user ID to be passed in from the original source and returns only the user ID when the users fulfill the multi-factor authentication (MFA) requirement.
The new required components are:
- Two additional SP adapter instances. For more information, seestep
1:
- Sample Echo to integrate with Echo's target application.
- Sample Golf to integrate with Golf's target application.
- Four new IdP connections. For more information, see step 2, step 3, and step 4:
Partner (Federation ID)
Identity Mapping Attribute Contract Target Session Mapping SP adapter instance name
(SP adapter instance ID)
Bravo (sso.bravo.local)
No Mapping SAML_SUBJECT and no other attributes N/A Echo (sso.echo.local)
No Mapping SAML_SUBJECT and samlEmail N/A Foxtrot (sso.foxtrot.local)
Account Mapping SAML_SUBJECT and samlEmail Sample (sample)
Golf (sso.golf.local)
No Mapping SAML_SUBJECT and samlEmail N/A In this example, all partners support SAML 2.0 and only the SP-initiated SSO profile.
- Three authentication policy contracts. For more information, see step
5:
- An authentication policy contract, Authenticated, to carry user attributes from Alpha and Charlie to their respective target applications.
- Two other authentication policy contracts, Echo authenticated and Golf authenticated, to carry user attributes from Echo and Golf to their target applications.
- An instance of the HTTP Request Parameter Authentication Selector, PartnerIdpId, to determine if a request is meant for Alpha or Charlie, because Alpha's and Charlie's target applications share an SP adapter instance. For more information, see step 6.
- Three SP authentication policies to enforce the multifactor authentication requirement. For more information, see step 7, step 8, and step 12.
- Three adapter mappings between the authentication policy contracts and the
applicable SP adapter instances. For more information, see step 9:
- Map from Authenticated to Sample.
- Map from Echo authenticated to Sample Echo.
- Map from Golf authenticated to Sample Golf
- Three additional target URL mappings between the applications requested by users from Echo, Foxtrot, and Golf to their respective SP adapter instances. For more information, see step 10:
- SSO URLs for all partners. For more information, see step 11.
Follow these steps to fulfill the new requirements: