By modifying your PingFederate authentication policy to include the
isManaged
and isCompliant
results from Intune, you can
control access to resources based on the device's security posture.
These steps are designed to help you add to an
existing authentication policy. For general information about configuring authentication
policies, see Policies in the PingFederate documentation.
-
Sign on to the PingFederate administrative console.
-
On the Identity Provider screen, under
Authentication Policies, click
Policies.
-
Open an existing authentication policy, or create a new one. See Defining authentication policies in the PingFederate
documentation.
-
In the Policy area, in the Select
list, select an Intune IdP Adapter instance.
-
Map the
deviceId
(shown as CN) or
userPrincipalName
from your X.509 Adapter instance into the
Intune IdP Adapter instance.
-
Under the Intune IdP Adapter instance, click
Options.
-
On the Options dialog, from the
Source list, select your X.509 Adapter
instance.
-
From the Attribute list, select
CN or userPrincipalName. Click
Done.
-
Define policy paths based on the two security posture attributes,
isCompliant
and isManaged
.
-
Under the Intune IdP Adapter instance, click Rules.
-
On the Rules dialog, in the Attribute
Name list, select isCompliant.
-
In the Condition list, select equal
to.
-
In the Value field, enter true
or false.
-
In the Result field, enter a name. This appears as a
new policy path that branches from the authentication source.
-
Repeat steps b-e for isManaged.
-
Click Done.
-
Configure each of the authentication paths, including Fail,
Success, and the paths that you defined in the
Rules dialog.
-
Click Done.
-
In the Policies window, click
Save.