Individual attributes within policy contracts can further determine whether PingFederate approves or rejects requests. You can define those criteria to satisfy or you can choose to skip this configuration.
On the Issuance Criteria tab, define the criteria to satisfy for PingFederate to further process a request. Use this token authorization feature to conditionally approve or reject requests based on individual attributes.
Begin this optional configuration by choosing the source that contains the attribute to verify. Some sources are common to almost all use cases, such as Mapped Attributes. Other sources depend on the type of configuration, such as JDBC. Irrelevant sources are automatically hidden. After you select a source, choose the attribute to verify. Depending on the selected source, the available attributes or properties vary. Specify the comparison condition and the desired value to compare to.
You can define multiple criteria, which must all be satisfied for PingFederate to move a request to the next phase. A criterion is satisfied when the runtime value of the selected attribute matches or does not match the specified value, depending on the chosen comparison method. The multi-value contains ... or multi-value does not contain ... comparison methods are intended for attributes that can contain multiple values. Such a criterion is considered satisfied if one of the multiple values match or does not match the specified value. Values are compared verbatim. If you require complex evaluations, including conditional criteria or partial matching, define them using attribute mapping expressions.
All criteria defined must be satisfied or evaluated as true for a request to move forward, regardless of how the criteria were defined. As soon as one criterion fails, PingFederate rejects the request and returns an error message.