Use Cases

Configuring adaptive authentication in PingFederate

This document explains the conceptual information behind network-based adaptive authentication. It also provides instructions for creating a new selector and configuring an authentication policy to enable adaptive authentication.

Network-based adaptive authentication is useful when PingFederate must authenticate users differently based on their network location. A typical application of this use case is when users must authenticate differently, depending on whether they are accessing a service from the organization’s internal network or from the internet. For example, an organization might want to use Kerberos to authenticate internal users to provide a seamless single sign-on (SSO) experience while presenting a sign-on page for external users.

Network-based adaptive authentication is achievable on all supported versions of PingFederate. The examples shown make use of PingFederate 10.1. All capabilities are offered out-of-the-box and no additional or custom components are required to implement this solution.

Component

PingFederate 10.1

Creating a new selector

Selectors and authentication sources can be conditionally chained together in paths to form policies.

Before you begin

  • PingFederate must determine if a user is inside your internal network. You must know CIDR network ranges that identify your internal network.

  • Upon identifying the network location of your user, you must know how you intend on authenticating your user in each case.

    • Configure authentication adapters, such as the Kerberos adapter and the HTML form adapter, along with their dependencies (Kerberos Realms and password credential validators (PCVs), respectively).

  • Define an authentication policy contract to allow the outcome of the authentication process to be mapped into your SAML connections or OAuth environment.

Steps

  1. In the PingFederate administrative console, go to Authentication → Policies → Selectors.

  2. To create a new selector, click Create New Instance.

  3. Configure the Type window.

    1. In the Instance Name field, enter an instance name.

    2. In the Instance ID field, enter the instance ID.

    3. From the Type list, select CIDR Authentication Selector.

    4. Click Next.

      Screen capture illustrating the Selector Type fields of Instance Name, Instance ID, and Type

  4. Configure the Authentication Selector window.

    1. Click Add a new row to 'Networks'.

    2. In the Network Range (CIDR notation) field, enter the CIDR ranges that identify your internal network address ranges.

      Screen capture illustrating the Network Range fields on the Authentication Selector tab. After the Network Range fields is a hyperlink option to Add a new row to Networks, which allows you to add additional network address ranges.

    3. To save your network, click Update.

    4. Optional: In the Result Attribute Name field, enter an attribute name.

    5. Click Next.

  5. On the Summary window, click Done.

  6. Click Save.

Configuring the authentication policy

Authentication policies define how PingFederate authenticates users.

Steps

  1. In the PingFederate administrative console, go to Authentication → Policies → Policies.

  2. To create a new policy, click Add Policy.

  3. Configure the Policy window.

    Screen capture illustrating the Name, Description, and Policy fields on the Policy window in .

    1. In the Name field, enter a name.

    2. In the Description field, enter a description.

    3. From the Policy list, go to Selectors and choose your previously created selector.

      Result:

      After choosing your selector, additional fields display that require you to identify which authentication adapters to use for internal and external users.

  4. From the additional lists that display, configure the authentication adapters to be used for internal and external users.

    Screen capture illustrating the internal and external authentication adapter lists in .

  5. Click Done.

  6. Click Save.

  7. To enable the network-based adaptive authentication policy, go to Authentication → Policies → Policies and select the IDP Authentication Policies check box.

    Screen capture illustrating the IDP Authentication Policies check box selected on the Authentication Policies window in .

Next steps

  • Map the policy contract you used after completing the adaptive authentication within your SAML connections and/or OAuth persistent grants.

  • You can hierarchically organize the policy to appear earlier or later in the Policy list.

    To configure PingFederate with multiple authentication policies or specify the order in which they are presented, go to Authentication → Policies → Policies.