Creating a custom authentication policy in PingFederate

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

Build and deploy a simple example of a custom authentication policy in PingFederate when there are multiple user types that need different authentication flows.

Make sure you have the following:

  • PingFederate 10 or later with administrator access to web console
  • PingID for multi-factor authentication (MFA)
  • HTML Form identity provider (IdP) adapter
  • Simple password credential validator (PCV)
  • A second SimpleForm (HTML Form adapter) instead of PingID
  • IdP connection
  • Selector

Authentication policies are an optional configuration in PingFederate and help administrators implement complex authentication requirements.

A simple example of a custom authentication policy is having PingID act as a second-factor authentication event that triggers after a username and password form.

Note:

Consider a custom policy when there are multiple user types that need different authentication flows, or if you want to chain together two types of authenticators, such as username and password with MFA.

  1. In the PingFederate administrative console, go to Authentication > Policies > Policies.
  2. In the Authentication Policies window, click Add Policy.
  3. In the Name field, enter a policy name.
  4. In the Description field, enter a description.
  5. From the Policy list, select a previously created configuration:
    • IdP Adapter
    • IdP Connection
    • Selector
  6. In the Fail field, click Done.

    This means if the user fails authenticating the SimpleForm, their single sign-on (SSO) session ends.

  7. From the Success list, select the PingID Adapter. Additional Fail/Success lists will appear.
    Screen capture illustrating the Policy configuration for a PingFederate authentication policy. The Policy type shows SimpleForm. After this field are the Fail field set to Done and the Success field set to PingID - Adapter. There are two hyperlinks below the Success field: Options and Rules.
    1. Click Options.
  8. In the Incoming User ID window, from the Source list, select Adapter (SimpleForm) and from the Attribute list, select username.
    Screen capture illustrating the Incoming User ID window in PingFederate. There are two lists: Source and Attribute. The Source list shows Adapter (SimpleForm) and the Attribute list shows username. Next to the list selection fields is the Clear hyperlink option. At the bottom of the window are the option for Cancel and the Done button.
    1. Click Done.
  9. After the Success list, set the Fail and Success lists to Done.

    Screen capture illustrating the configured Policy fields for a custom authentication policy in PingFederate. The Policy type shows SimpleForm. After this field are the Fail field set to Done and the Success field set to PingID - Adapter. There are two hyperlinks below the Success field: Options and Rules. After the Success field are another pair of Fail and Success fields, both set to Done.
    1. Click Done.
    The custom policy appears in the Policies window in the Policy list.
  10. To save and enable the new policy, click Save.
    Screen capture of the Policies window on the Policies tab in PingFederate with a configured and enabled policy in the Policy list. A green toggle to the right of the policy information indicates the policy is enabled. At the bottom of the image is a hyperlink option to Cancel and the Next and Save buttons.