PingFederate supports more granular control through the use of rules in authentication policies.
An authentication source in an authentication policy has two results, Fail or Success, for which you can set one of the following actions:
- Append another authentication source for further processing.
- Append a selector for further processing.
- Select Done to terminate the authentication policy, making it a closed-ended path.
- Select an authentication policy contract or a local identity profile, also
terminating the authentication policy, making it a closed-ended path.Tip: A policy path is closed-ended if it contains one or more authentication sources, with or without any selector instances. A closed-ended path can optionally end with an authentication policy contract or a local identity profile.Note:
A policy path is also closed-ended if it ends with an instance of a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection. Because the custom selector returns an authentication source, such a closed-ended path cannot end with an authentication policy contract or a local identity profile. Instead, it must end with an action of Done or Restart.
By applying multiple rules to an authentication source, an administrator can define additional, successful, results based on attribute values from the authentication source and set different action for each result.
For example, your OpenToken IdP Adapter instance returns an attribute,
EmployeeType, that identifies the employee profile; a value of
temp
indicates the user is a contractor. Your organization mandates
that all contractors must authenticate successfully against the OpenToken identity
provider (IdP) adapter, followed by another IdP adapter, such as an instance of the
PingID Adapter for multifactor
authentication. To fulfill this authentication requirement, you can define a successful
result by adding a rule to evaluate the EmployeeType value, and
then select the PingID Adapter instance as the action for this match.
When multiple rules exist for a given authentication source, the first match wins. If no rule returns a match, administrators have the option to treat the authentication as successful or failure.