---
title: Extending a PingFederate authentication session for corporate identifiers
description: Starting with PingFederate 9.3, you can enable longer validity periods for employee authentication sessions than those for non-corporate users.
component: solution-guides
page_id: solution-guides:single_sign-on_use_cases:pf_extend_corp_session
canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/pf_extend_corp_session.html
revdate: July 25, 2025
page_aliases: ["single_sign-on_use_cases:pf_id_first_config.adoc", "single_sign-on_use_cases:pf_session_selector_config.adoc", "single_sign-on_use_cases:pf_add_auth_policy.adoc", "single_sign-on_use_cases:pf_set_corp_ognl_expression.adoc"]
section_ids:
  component: Component
  configuring-the-identifier-first-adapter: Configuring the Identifier First Adapter
  about-this-task: About this task
  steps: Steps
  configuring-the-session-authentication-selector: Configuring the Session Authentication Selector
  about-this-task-2: About this task
  steps-2: Steps
  adding-an-authentication-policy: Adding an authentication policy
  about-this-task-3: About this task
  steps-3: Steps
  setting-an-ognl-expression: Setting an OGNL expression
  about-this-task-4: About this task
  steps-4: Steps
---

# Extending a PingFederate authentication session for corporate identifiers

Starting with PingFederate 9.3, you can enable longer validity periods for employee authentication sessions than those for non-corporate users.

The solution works by having a dedicated login adapter, such as the [HTML Form Adapter](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=717), for each user population with their own session timeouts and configuring an [Identifier First Adapter](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=710) to determine which adapter each user group should be routed to. Setting an OGNL expression in the issuance criteria of the corporate adapter ensures that a non-corporate user cannot authenticate with the corporate adapter.

|   |                                                                                                                                                                                                                                                                                                                                                           |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For this task, you must have created the login adapters for each user population and customized their session timeouts. To unify the user experience, you can create the non-corporate adapter as a child of the corporate parent adapter. The child adapter will inherit all of the parent's settings, including any custom templates used for branding. |

## Component

PingFederate 9.3 and later.

## Configuring the Identifier First Adapter

### About this task

The Identifier First Adapter prompts the user to identify themselves with their email address. Upon submission of the address, the adapter parses out the email domain and subject. You can use the domain information retrieved by the adapter to create policy rule branches. For more information, see [Configuring an Identifier First Adapter instance](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=710).

### Steps

1. In the PingFederate administrative console, go to **Authentication → Integration → IdP Adapters**.

2. Click **Create New Instance**.

3. On the **Type** tab, configure the basics of the adapter instance:

   1. Enter the **Instance Name** and **ID**.

   2. In the **Type** list, select **Identifier First Adapter**.

   3. Click **Next**.

4. On the **IdP Adapter** tab, accept the default configuration and click **Next**.

5. On the **Extended Contract** tab, accept the default configuration and click **Next**.

6. On the **Adapter Attributes** tab, select the **Pseudonym** checkbox for the domain attribute. Click **Next**.

   ![Screen capture of the Create adapter instance page with the pseudonym checkbox selected for the domain attribute on the Adapter attributes tab](_images/hsm1669843011564.png)

7. On the **Adapter Contract Mapping** tab, click **Next**.

   The adapter will fulfill the adapter contract by default.

8. On the **Summary** tab, verify your adapter's configuration.

   ![Screen capture of an example summary of a newly created Identifier First Adapter instance](_images/rmt1669060828765.png)

9. Click **Done**.

10. On the **Manage IdP Adapter Instances** page, click **Save**.

## Configuring the Session Authentication Selector

### About this task

In this example, you are configuring a Session Authentication Selector with the corporate and non-corporate adapters added as authentication sources. The selector will check for an existing authentication session with either adapter. If a session exists, the user bypasses the Identifier First Adapter and is not asked to submit their email address. For more information, see [Configuring the Session Authentication Selector](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=336).

### Steps

1. In the PingFederate administrative console, go to **Authentication → Policies → Selectors**.

2. Click **Create New Instance**.

3. On the **Type** tab, configure the basics of the selector instance:

   1. Enter the **Instance Name** and **ID**.

   2. In the **Type** list, select **Session Authentication Selector**.

4. On the **Authentication Selector** tab, add the corporate and non-corporate adapters as authentication sources, and then select the **Enable 'No Session' Result Value** checkbox.

   ![Screen capture of the Create authentication selector instance page with the corporate and non-corporate adapters added as authentication sources and the Enable 'no session' result value selected on the Authentication selector tab](_images/tzb1669842144305.png)

5. Click **Next** and verify your configuration on the **Summary** tab.

   ![Screen capture of an example summary of a Session authentication selector instance](_images/oqj1669060951831.png)

6. Click **Done**.

7. On the **Manage Authentication Selector Instances** page, click **Save**.

## Adding an authentication policy

### About this task

The authentication policy checks if the user has an existing authentication session. If they do, the user is sent to the corresponding adapter, allowing them to bypass the Identifier First Adapter. If they do not, they are prompted by the Identifier First Adapter to submit their email address to determine if they should be routed to the corporate or non-corporate adapter. For more information, see [Authentication Policies](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=324).

### Steps

1. In the PingFederate administrative console, go to **Policies → Policies** and click **Add Policy**.

2. Enter a name for your policy, and in the **Policy** list, select your newly created Session Authentication Selector.

   The policy branches are created based on the result values set for each authentication source in the selector.

3. Select the appropriate adapter in the list of each branch:

   1. Under the **Fail** list, click **Done**.

   2. In the **Success** list, select your policy contract mapping setting.

      ![Screen capture of the policy creation page with the Session Authentication Selector selected in the Policy list, the corporate session adapter selected in the corporate policy branch, the Done button under the Fail list highlighted, and the policy contract selected in the Success list](_images/eux1669916146439.png)

4. In the **No Session** list, select your newly created Identifier First adapter.

5. Under the **No Session** list, click **Rules**.

   ![Screen capture of the policy creation page with the Identifier First Adapter selected in the No Session list, and the Rules button highlighted](_images/tqw1669915879511.png)

   1. In the **Attribute Name** list, select **domain**.

   2. In the **Condition** list, select **equal to**.

   3. In the **Value** field, enter the corporate identifier.

   4. In the **Result** field, enter a policy branch name for corporate users.

   5. Click **Add**.

   6. Repeat steps 5b-f, replacing the condition with **not equal to**, and replacing the result with the policy branch name for non-corporate users.

   7. Clear the **Default to success** checkbox.

   8. Click **Done**.

      ![Screen capture of the No Session branch "Rules" menu with the relevant values set for attribute name, condition, value, and result for both corporate and non-corporate authentication attempts. The Default to success checkbox is cleared.](_images/xxr1669836566913.png)

      |   |                                                                                                             |
      | - | ----------------------------------------------------------------------------------------------------------- |
      |   | The rules dictate which policy branch the user is routed to if they have no current authentication session. |

6. Within the **No Session** branch, under the **Fail** list, click **Done**.

   1. In each policy branch list, select the appropriate adapter.

   2. Under each **Fail** list, click **Done**, and in each **Success** list, select your policy contract mapping setting.

      ![Screen capture of the No Session policy branch on the policy creation page with the corporate and non-corporate user paths configured as outlined above](_images/qwb1669916360640.png)

## Setting an OGNL expression

### About this task

In this task, you are adding an OGNL expression to the issuance criteria of the corporate adapter. This expression prevents a non-corporate user from being authenticated with a corporate identifier. For more information, see [Construct OGNL Expressions](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=860).

### Steps

1. In the PingFederate administrative console, go to **Authentication → Integration → IdP Adapters**.

2. Select your corporate adapter instance.

3. On the **Adapter Contract Mapping** tab, click **Configure Adapter Contract**.

4. On the **Issuance Criteria** tab, click **Show Advanced Criteria**.

   ![Screen capture of the Adapter contract mapping page with the Show advanced criteria button highlighted on the Issuance criteria tab](_images/xpt1669849978487.png)

5. In the **Expression** field, enter the following:

   ```
   #allowed=#this.get("mapped.mail"), #allowed==null?"false":#this.get("mapped.mail").toString().contains("<corporate email domain>")
   ```

6. In the **Error Result** field, enter your desired error message.

   |   |                                                                                                                                                                                                                   |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The error message displays if the user's mapped attribute from the adapter is not consistent with the string contained in your OGNL expression. This indicates a failure to authenticate the user as an employee. |

   ![Screen capture of the Adapter contract mapping page with the constructed OGNL expression and desired error result displayed on the Issuance criteria tab](_images/mgd1669061143242.png)

7. Click **Add**, and then click **Done**.