Configuring a PingFederate policy for primary authentication

Configuring a PingFederate policy for primary authentication - PingID

PingID Administration Guide

bundle

pingid

ft:publication_title

PingID Administration Guide

Product_Version_ce

PingID

category

ContentType

Product

Productdocumentation

pingid

ContentType_ce

Product documentation

Configuring PingID for primary authentication requires you to create a policy contract and a policy in PingFederate.

Note:

If you are running PingFederate 9.0 or earlier, you will need to create a composite adapter rather than a PingFederate policy. For more information, see Configuring a composite adapter.

Before configuring PingID for primary authentication:

Install the PingID Integration Kit
Generate and download the PingID properties file
Configure a PingID adapter instance
Note:
PingID can only be used for primary authentication when a persistent cookie for the PingID Adapter exists in the user’s browser.
Create an IdP adapter for Primary authentication (for example, an HTML Form Adapter). For more information, see Configure an IdP adapter instance. This adapter is used if the persistent cookie for the PingID Adapter does not appear in the user’s browser. It enables PingID to acquire the proper user information and mobile device fingerprint. The user credentials are then stored in a persistent cookie in the user's browser, and all subsequent SSO operations pass these credentials to the PingID adapter.
If you want to configure the application name or application icon, you can do so in PingFederate. For more information, see Identifying the target application.

After you have created the relevant identity provider (IdP) and PingID adapters, you must create a PingFederate policy contract and a PingFederate policy for primary authentication, as described below.

Note:

The following endpoint can be used to clear the primary authentication: https://HOSTNAME:PORT/ext/pingid-reset-primary-auth.

When a user redirects to this endpoint, the PingID primary authentication cookie is cleared on the user’s browser and the user is redirected to the primary authentication IdP adapter sign-on page. The next sign-on attempt from that browser will require first factor authentication. This is useful for cases such as authentication context switch for multiple users sharing the same device.

In PingFederate, create an authentication policy contract.
For more information, see Manage policy contracts.
1. Go to Authentication > Policies > Policy Contracts.
2. Click Create New Contract.
3. In the Contract Name field, enter a name for the policy contract, and then click Next.
4. On the Contract Attributes tab, for each attribute you want to add, type the name of the attribute, and then click Add.
  For a list of PingID attributes, see PingID authentication attributes.
1. To advance to the Summary tab and to review the contract, click Next. Click Done.
Create a PingFederate authentication policy.
For more information, see Policies.
1. Go to Authentication > Policies > Policies.
2. Select the IdP Authentication Policies box, and then click Add Policy.
3. In the Name field, enter a meaningful name for the authentication policy.
4. From the Policy dropdown, select IdP Adapters, and then select the PingID Adapter instance you created.
  The PingID Adapter is added to the PingFederate policy tree.
5. From the Fail list, select your IdP adapter instance.
  A new branch is created under the Fail list.
6. In this new branch, perform the following:
  - From the Fail list, select Done.
  - From the Success list, select IdP Adapters, then select the Adapter you created earlier.
  A new branch is created under the Success list.
7. In this new branch, perform the following:
  - From the Fail list, select Done.
  - From the Success list, select Policy Contracts, then select the policy contract you created earlier.
8. In the PingID Adapter branch, from the Success list, select Policy Contracts and then select the policy contract you created earlier.
9. In the PingID Adapter branch, under the Success list, click Contract Mapping .
10. Complete the relevant contract mapping.
  For more information on contract mapping, see Configuring contract mapping. For a list of attributes that can be used upon successful authentication with PingID, see PingID authentication attributes.
11. To enable the policy, select the check box, and , then click Save.
  You return to the Policy window.
12. Click Done.
13. Under the PingID Adapter branch, click Options.
14. In the Incoming User window, enter the following information.
  - From the Source list, select the IdP adapter.
  - From the Attribute list, select username.
When finished, the policy tree should look similar to the following example.
Add any further configurations, for example:
1. Configure Browser SSO.
  For more information, see Configure IdP Browser SSO.
2. Configure OAuth settings.
  For more information, see OAuth configuration.