--- title: Configuring adaptive authentication in PingFederate description: This document explains the conceptual information behind network-based adaptive authentication. It also provides instructions for creating a new selector and configuring an authentication policy to enable adaptive authentication. component: solution-guides page_id: solution-guides:workforce_use_cases:htg_config_adaptive_authn_pf canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_config_adaptive_authn_pf.html revdate: April 13, 2025 page_aliases: ["workforce_use_cases:htg_config_adaptive_authn_pf_new_selector.adoc"] section_ids: component: Component creating-a-new-selector: Creating a new selector before-you-begin: Before you begin steps: Steps configuring-the-authentication-policy: Configuring the authentication policy steps-2: Steps result: Result: next-steps: Next steps --- # Configuring adaptive authentication in PingFederate This document explains the conceptual information behind network-based adaptive authentication. It also provides instructions for creating a new selector and configuring an authentication policy to enable adaptive authentication. Network-based adaptive authentication is useful when PingFederate must authenticate users differently based on their network location. A typical application of this use case is when users must authenticate differently, depending on whether they are accessing a service from the organization's internal network or from the internet. For example, an organization might want to use Kerberos to authenticate internal users to provide a seamless single sign-on (SSO) experience while presenting a sign-on page for external users. Network-based adaptive authentication is achievable on all supported versions of PingFederate. The examples shown make use of PingFederate 10.1. All capabilities are offered out-of-the-box and no additional or custom components are required to implement this solution. ## Component PingFederate 10.1 ## Creating a new selector Selectors and authentication sources can be conditionally chained together in paths to form policies. ### Before you begin * PingFederate must determine if a user is inside your internal network. You must know CIDR network ranges that identify your internal network. * Upon identifying the network location of your user, you must know how you intend to authenticate your user in each case. * Configure authentication adapters, such as the Kerberos adapter and the HTML form adapter, along with their dependencies (Kerberos Realms and password credential validators (PCVs), respectively). * Define an authentication policy contract to allow the outcome of the authentication process to be mapped into your SAML connections or OAuth environment. ### Steps 1. In the PingFederate administrative console, go to **Authentication > Policies > Selectors**. 2. To create a new selector, click **Create New Instance**. 3. Configure the **Type** window. 1. In the **Instance Name** field, enter an instance name. 2. In the **Instance ID** field, enter the instance ID. 3. In the **Type** list, select **CIDR Authentication Selector**. 4. Click **Next**. ![Screen capture illustrating the Selector Type fields of Instance Name, Instance ID, and Type](_images/pae1601586970183.png) 4. Configure the **Authentication Selector** window. 1. Click **Add a new row to 'Networks'**. 2. In the **Network Range (CIDR notation)** field, enter the CIDR ranges that identify your internal network address ranges. ![Screen capture illustrating the Network Range fields on the Authentication Selector tab. After the Network Range fields is a hyperlink option to Add a new row to Networks, which allows you to add additional network address ranges.](_images/lfg1601587281892.png) 3. To save your network, click **Update**. 4. **Optional:** In the **Result Attribute Name** field, enter an attribute name. 5. Click **Next**. 5. On the **Summary** window, click **Done**. 6. Click **Save**. ## Configuring the authentication policy Authentication policies define how PingFederate authenticates users. ### Steps 1. In the PingFederate administrative console, go to **Authentication > Policies > Policies**. 2. To create a new policy, click **Add Policy**. 3. Configure the **Policy** window. ![Screen capture illustrating the Name, Description, and Policy fields on the Policy window in .](_images/wgx1601587629835.png) 1. In the **Name** field, enter a name. 2. In the **Description** field, enter a description. 3. From the **Policy** list, go to **Selectors** and choose your previously created selector. #### Result: After choosing your selector, additional fields display that require you to identify which authentication adapters to use for internal and external users. 4. From the additional lists that display, configure the authentication adapters to be used for internal and external users. ![Screen capture illustrating the internal and external authentication adapter lists in .](_images/peo1601587892714.png) 5. Click **Done**. 6. Click **Save**. 7. To enable the network-based adaptive authentication policy, go to **Authentication > Policies > Policies** and select the **IDP Authentication Policies** checkbox. ![Screen capture illustrating the IDP Authentication Policies checkbox selected on the Authentication Policies window in .](_images/bvd1601587996122.png) ## Next steps * Map the policy contract you used after completing the adaptive authentication within your SAML connections, OAuth persistent grants, or both. * You can hierarchically organize the policy to appear earlier or later in the **Policy** list. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To configure PingFederate with multiple authentication policies or specify the order in which they are presented, go to **Authentication > Policies > Policies**. |