Authentication policy contracts provide PingFederate administrators the following benefits:

  • The capability to build an attribute contract with attribute values from multiple authentication sources or datastore queries through an authentication policy.
  • The flexibility to map only the policy contract to a connection. Administrators do not have to map into the connection the authentication sources in the policy leading up to the contract. For example, administrators can experiment with various IdP adapter instances without the burden of adding and removing them to and from the connection.
  • The potential to reuse authentication policies that use the same policy contract in multiple service provider (SP) connections, identity provider (IdP) connections, and OAuth use cases, using the OAuth Authorization Code or Implicit grant types.

Authentication policy contracts are also the media to carry user attributes from IdPs to SPs when PingFederate is deployed as a federation hub. For more information, see Federation hub use cases.