Use Cases

Configuring PingFederate for MFA-only VPN

Components

  • PingFederate 9.3

  • PingID

Before you begin

Creating a datastore connection

About this task

If you have already configured a data store connection in PingFederate, you can skip this task.

Steps

  1. If you have not already configured a data store connection, use the following steps to configure one:

  2. Sign on to PingFederate.

  3. Select System > Data Stores to open the Data Stores screen.

  4. On the Data Stores screen, click Add New Data Store.

  5. Type a name for the data store.

  6. Select the type of data store you are connecting to, and click Next.

Depending on which data store you chose, click one of the following links for configuration instructions:

Configuring an Identifier First Adapter

The Identifier First Adapter allows PingFederate to collect the user identifier and then determine how to challenge the user for credentials. Learn more in Identifier First Adapter.

Steps

  1. Select Identity Provider > Adapters.

  2. On the Manage IdP Adapter Instances screen, click Create New Instance.

  3. Enter an Instance Name and an Instance ID. The Instance Name is any name you want to use to identify this adapter instance. The Instance ID is used internally, and cannot contain spaces or non-alphanumeric characters.

  4. Select Identifier First Adapter in the Type list.

  5. Click Next, and follow the instructions in Configure an Identifier First Adapter instance (page 710) to complete the configuration.

Configuring a PingID Adapter

Steps

  1. Select Identity Provider > Adapters.

  2. On the Manage IdP Adapter Instances screen, click Create New Instance.

  3. Enter an Instance Name and an Instance ID.

    The Instance Name is any name you want to use to identify this adapter instance. The Instance ID is used internally, and cannot contain spaces or non-alphanumeric characters.

  4. Select PingID Adapter 2.5.1 in the Type list.

  5. Click Next.

  6. Click Show Advanced Fields.

  7. Follow the instructions in Use PingID for Primary Authentication to complete the configuration.

Configuring an authentication policy

Steps

  1. Select Identity Provider → Policies to open the Authentication Policies screen.

  2. Click Add Policy.

  3. Enter a name for the policy and optionally a description.

  4. In the Policy list, click the down-arrow and select the Identifier First Adapter that you configured in step 3. Fail and Success fields appear.

  5. Under Fail, select Restart.

  6. Under Success, click the down-arrow and select the PingID Adapter that you configured in step 4. Fail and Success fields are displayed again.

  7. Under Fail, select Done.

  8. Under Success, click the down-arrow, and select a Policy Contract.

    An example configuration is shown in the following figure.

    mow1564001139984
  9. Under the PingID adapter in the Success field, click Options.

    oxs1564001140813
  10. In the Incoming User ID modal, select the Identifier First Adapter for the Source and subject for the Attribute.

    This configuration maps the user identifier to use with PingID MFA.

    xez1636744317440
  11. Click Done.

  12. Click Contract Mapping under the Policy Contract in the Success field.

    bxe1564001142363
  13. Click Next to view the Contract Fulfillment screen.

  14. Select the Identifier First Adapter for the Source and subject for the Attribute.

    This configuration maps the attributes into your authentication policy contract.

    apm1564001142938
  15. Click Next, and then click Next again to view the Summary screen.

  16. Click Done to save your contract mapping, and then click Done again to save your authentication policy.