Use Cases

Setting up and testing a custom authentication policy

Authentication policies are used in PingFederate to implement complex authentication requirements. This document explains how to create a new custom authentication policy in PingFederate, and then test the policy.

Component

PingFederate 10.0 or later

Creating a custom authentication policy in PingFederate

Build and deploy a simple example of a custom authentication policy in PingFederate when there are multiple user types that need different authentication flows.

Before you begin

Make sure you have the following:

  • PingFederate 10 or later with administrator access to web console

  • PingID for multi-factor authentication (MFA)

  • HTML Form identity provider (IdP) adapter

  • Simple password credential validator (PCV)

  • A second SimpleForm (HTML Form adapter) instead of PingID

  • IdP connection

  • Selector

About this task

Authentication policies are an optional configuration in PingFederate and help administrators implement complex authentication requirements.

A simple example of a custom authentication policy is having PingID act as a second-factor authentication event that triggers after a username and password form.

Consider a custom policy when there are multiple user types that need different authentication flows, or if you want to chain together two types of authenticators, such as username and password with MFA.

Steps

  1. In the PingFederate administrative console, go to Authentication → Policies → Policies.

  2. In the Authentication Policies window, click Add Policy.

  3. In the Name field, enter a policy name.

  4. In the Description field, enter a description.

  5. From the Policy list, select a previously created configuration:

    Choose from:

    • IdP Adapter

    • IdP Connection

    • Selector

  6. In the Fail field, click Done.

    This means if the user fails authenticating the SimpleForm, their single sign-on (SSO) session ends.

  7. From the Success list, select the PingID Adapter. Additional Fail/Success lists will appear.

    Screen capture illustrating the Policy configuration for a authentication policy. The Policy type shows SimpleForm. After this field are the Fail field set to Done and the Success field set to - Adapter. There are two hyperlinks below the Success field: Options and Rules.

    1. Click Options.

  8. In the Incoming User ID window, from the Source list, select Adapter (SimpleForm) and from the Attribute list, select username.

    Screen capture illustrating the Incoming User ID window in . There are two lists: Source and Attribute. The Source list shows Adapter (SimpleForm) and the Attribute list shows username. Next to the list selection fields is the Clear hyperlink option. At the bottom of the window are the option for Cancel and the Done button.

    1. Click Done.

  9. After the Success list, set the Fail and Success lists to Done.

    Screen capture illustrating the configured Policy fields for a custom authentication policy in . The Policy type shows SimpleForm. After this field are the Fail field set to Done and the Success field set to - Adapter. There are two hyperlinks below the Success field: Options and Rules. After the Success field are another pair of Fail and Success fields, both set to Done.

    1. Click Done.

      Result:

      The custom policy appears in the Policies window in the Policy list.

  10. To save and enable the new policy, click Save.

    Screen capture of the Policies window on the Policies tab in with a configured and enabled policy in the Policy list. A green toggle to the right of the policy information indicates the policy is enabled. At the bottom of the image is a hyperlink option to Cancel and the Next and Save buttons.

Testing a custom authentication policy in PingFederate (HTML Form with PingID MFA)

Test the custom authentication policy you created in PingFederate.

Before you begin

Set up a service provider (SP) connection.

About this task

This requires an SP connection. This example is using the website HTTP_BIN as a sample application that PingFederate will send the user to after the custom authentication policy has completed successfully.

Steps

  1. Locate an SP Connection that you configured previously to leverage the custom authentication policy.

    1. Go to Applications → SP Connections → SP Connection → Activation & Summary.

  2. Click the SSO Application Endpoint.

    Screen capture illustrating the SSO Application Endpoint URL on the SP Connection Actiation & Summary tab in .

    Result:

    The Sign On window appears.

  3. Enter a valid Username and Password based on your SimpleForm and SimplePCV settings.

    1. Click Sign On.

      Screen capture illustrating the Sign On window redirect from the SSO Application Endpoint.

  4. Approve the sign-on request using multi-factor authentication (MFA), such as your mobile push.

    Screen capture illustrating the MFA push notification.

    • If you entered in a username and password combo that doesn’t authenticate, an error message will display.

    • If you entered in a recognized user in the form, but the user has not yet enrolled in PingID, a registration window will display.