The authentication policy checks if the user has an existing authentication session. If they do, the user is sent to the corresponding adapter, allowing them to bypass the Identifier First Adapter. If they do not, they are prompted by the Identifier First Adapter to submit their email address to determine if they should be routed to the corporate or non-corporate adapter. For more information, see Policies.

  1. In the PingFederate administrative console, go to Policies > Policies and click Add Policy.
  2. Enter a name for your policy, and in the Policy list, select your newly created Session Authentication Selector.

    The policy branches are created based on the result values set for each authentication source in the selector.

  3. Select the appropriate adapter in the list of each branch:
    1. Under the Fail list, click Done.
    2. In the Success list, select your policy contract mapping setting.
    Screen capture of the policy creation page with the Session Authentication Selector selected in the Policy list, the corporate session adapter selected in the corporate policy branch, the Done button under the Fail list highlighted, and the policy contract selected in the Success list
  4. In the No Session list, select your newly created Identifier First adapter.
  5. Under the No Session list, click Rules.
    Screen capture of the policy creation page with the Identifier First Adapter selected in the No Session list, and the Rules button highlighted
    1. In the Attribute Name list, select domain.
    2. In the Condition list, select equal to.
    3. In the Value field, enter the corporate identifier.
    4. In the Result field, enter a policy branch name for corporate users.
    5. Click Add.
    6. Repeat steps 5b-f, replacing the condition with not equal to, and replacing the result with the policy branch name for non-corporate users.
    7. Clear the Default to success check box.
    8. Click Done.
    Screen capture of the No Session branch "Rules" menu with the relevant values set for attribute name, condition, value, and result for both corporate and non-corporate authentication attempts. The Default to success check box is cleared.
    Note:

    The rules dictate which policy branch the user is routed to if they have no current authentication session.

  6. Within the No Session branch, under the Fail list, click Done.
    1. In each policy branch list, select the appropriate adapter.
    2. Under each Fail list, click Done, and in each Success list, select your policy contract mapping setting.
    Screen capture of the No Session policy branch on the policy creation page with the corporate and non-corporate user paths configured as outlined above