Configuring a PingFederate policy for secondary authentication

Configuring a PingFederate policy for secondary authentication - PingID

PingID Administration Guide

bundle

pingid

ft:publication_title

PingID Administration Guide

Product_Version_ce

PingID

category

ContentType

Product

Productdocumentation

pingid

ContentType_ce

Product documentation

PingID can serve as the secondary authentication source for PingFederate.

Before configuring PingID for secondary authentication:

Install the PingID Integration Kit.
Download the PingID properties file.
Configure a PingID adapter instance.
If an identity provider (IdP) adapter for primary authentication has not already been created, create one. For more information, see Configure an IdP adapter instance.
If you want to configure the application name or application icon, do so in PingFederate. See Identifying the target application.
Note:
If you want to implement a FIDO passwordless authentication flow, see Configuring a PingFederate policy for passwordless authentication with FIDO biometrics.

After you have created the relevant IdP and PingID adapters, create a PingFederate policy contract, and then create a PingFederate policy for secondary authentication.

Note:

If you are running PingFederate 9.0 or earlier, you'll need to create a composite adapter rather than a PingFederate policy. See Configuring a composite adapter.

In PingFederate, create an Authentication Policy Contract.
For more information, see Manage policy contracts.
1. Go to Authentication > Policies > Policy Contracts.
2. Click Create New Contract.
3. In the Contract Name field, enter a name for the policy contract, and then click Next.
4. On the Contract Attributes tab, for each attribute you want to add, type the name of the attribute and then click Add.
  For a list of PingID attributes, see PingID authentication attributes.
1. To advance to the Summary tab and to review the contract, click Next. Click Save.
Create a PingFederate authentication policy.
For more information, see Policies.
1. Go to Authentication > Policies > Policies.
2. Select the IdP Authentication Policies box, and then click Add Policy.
3. In the Name field, enter a meaningful name for the authentication policy.
4. From the Policy dropdown, select IdP Adapters, and then select your IdP Adapter from the list (for example, the HTML Form Adapter).
  The IdP Adapter is added to the PingFederate policy tree.
5. In this new branch, perform the following.
  - From the Fail list, select Done.
  - From the Success list, select IdP Adapters, and then select your PingID Adapter instance.
  A new PingID Adapter branch is created under the Success list.
6. Under the PingID Adapter branch field, click Options, and in the Incoming User ID window, perform the following.
  - From the Source list, select the IdP adapter.
  - From the Attribute list, select username.
  - Select the User ID Authenticated check box.
  - To close the window, click Done.
7. In the new PingID Adapter branch, perform the following.
  - From the Fail list, select Done.
  - From the Success list, select Policy Contract, and then select the policy contract you created earlier.
8. Under the PingID Adapter Success field, click Contract Mapping.
9. Complete the relevant contract mapping.
  For more information on contract mapping, see Configuring contract mapping. For a list of attributes that can be used upon successful authentication with PingID, see PingID authentication attributes.
10. To enable the policy, select the check box, and then click Save.
  You return to the Policy window.
11. Click Done.
Add any further configurations, for example:
- Configure Browser SSO. For more information, see Configure IdP Browser SSO.
- Configure OAuth settings. For more information, see OAuth configuration.