This procedure assumes that you have configured PingFederate and PingAccess to talk to each other through OIDC. You need to add Azure AD as an authentication source for PingAccess in PingFederate.

For general instructions, see Create an OpenID Connect IdP connection

  1. From the Authentication Selector screen in PingFederate, select the Add or Update AuthN Context Attributebox next to the PingAccess entry, update your selector result values to include Azure AD as an authentication requirement, and click Save. See Configure the Requested AuthN Context Authentication Selector.
  2. Ensure there is a path in your authentication policy tree to include your new authentication requirement for Azure, verify that you are fulfilling your policy contracts, and click Save. See Defining authentication policies and Define authentication policies based on group membership information.
  3. Under Authorization Server Settings, extend the persistent grant to map the Azure AD group into the OIDC token to PingAccess. See Define grant contract fulfillment for IdP adapter mapping.
  4. Extend the access token attribute contract to include groups, fulfill the persistent grants from the authentication policy contract, and fulfill the access token mapping with the persistent grant. See Configure policy and ID token settings.
  5. In your OIDC policy, map from the access token or perform any additional lookups against local data stores. See Configure IdP adapter attribute sources and user lookup.
  6. Go to PingAccess and write a web session attribute rule for the group membership to which the rule applies. See Configure session management.

    Azure AD does not provide friendly names for their groups and instead returns them as object IDs.

    Apply this rule as needed for your specific use case, application, or API.
    PingAccess verifies group membership in Azure AD and uses this group membership to enforce medium-grained access control.