Adding multi-factor authentication to secure apps (PingID with PingAccess)
Learn how to synchronize a session for your web applications between PingFederate and PingAccess through PingID
Before you begin
-
Verify that PingFederate 10.3 and PingAccess 6.3 are installed and running.
-
Create an OpenID Connect (OIDC) connection between PingFederate and PingAccess, as described in Configure PingFederate for PingAccess connectivity (page 512).
-
Register a PingID account, as described in Register the PingID service.
-
Set up a PingID adapter in PingFederate, as described in Managing IdP adapters (page 396).
This use case was developed with the specified product versions. With more recent product versions, the general workflow should apply although specific menu options and screens might differ. |
Creating a SAML authentication policy contract
About this task
Create a SAML authentication policy contract, as described in Policy contracts (page 274).
Steps
-
In PingFederate, go to Authentication > Policies > Policy Contracts.
-
Click Create New Contract.
-
On the Contract Info tab, in the Contract Name field, enter a name for your SAML authentication policy contract.
-
On the Contract Attributes tab, in the Extend the Contract section, enter
SAML_AUTHN_CTX
. Click Add. -
Click Next.
-
On the Summary tab, click Save.
Creating an authentication selector
About this task
Create an authentication selector as described in Configuring the Requested AuthN Context Authentication Selector (page 233).
Steps
-
In PingFederate, go to Authentication > Policies > Selectors.
-
Click Create New Instance and enter the following values on the Type tab.
Parameter Value Instance Name
PA Step Up Authentication
Instance Id
PAStepUpAuth
Type
Requested AuthN Content Authentication Selector
-
On the Authentication Selector tab, select the Field Value checkbox next to Add or Update Authn Context Attribute. Click Next.
-
On the Selector Result Values tab, add
htmlForm
andpingid
as Result Values. Click Next. -
On the Summary tab, click Save.
Creating an authentication policy tree
About this task
Create an authentication policy tree, as described in Defining authentication policies (page 242).
Steps
-
Go to IdP Configuration > Authentication Policies → Policies.
-
Click Enable IdP Authentication Policies.
-
In the Action list, select your authentication selector
-
For the
htmlForm success
result, click Contract Mapping to enable your authentication policy to fulfill the contract based on a username submitted on an HTML form. -
For the
pingid success
result, click Options to link the form source with theusername
attribute. -
For the
pingid success
result, click Contract Mapping to enable your authentication policy to fulfill the contract based on passing the username through PingID.
Adding an OAuth authentication policy mapping
Before you begin
Optionally, go to OAuth settings → Token & Attribute Mapping → IdP Adapter Mapping to remove any existing identity provicer (IdP) adapter mappings.
Steps
-
In PingFederate, go to Authentication → OAuth → Policy Contract Grant Mapping.
-
In the Mappings section, in the Policy Contract list, select the authentication policy contract that you created earlier and click Add Mapping.
-
Click Next.
-
On the Contract Fulfillment tab, in the USER_KEY row:
-
In the Source list, select Authentication Policy Contract.
-
In the Value list, select subject.
-
-
In the USER_NAME row:
-
In the Source list, select Authentication Policy Contract.
-
In the Value list, select subject.
-
-
Click Next until you reach the Summary tab.
-
Click Save.
Adding access settings and policy rules in PingAccess
Steps
-
In PingAccess, to add access settings for
htmlForm
andpingid
, go to Access > Authentication > Authentication Requirements.You can find more information in Configuring an authentication requirements list.
-
To add rules as described in Rule Management (page 268), go to Access > Rules:
-
Create a Step Up Authentication rule for PingAccess.
-
Create an HTML Form Authentication rule.
-
-
Go to Applications > Applications, expand your application, and click the Pencil () icon to edit:
-
On the Resources tab, expand the Root Resource and click the Pencil () icon to edit.
-
On the Web Policy tab, under Available Rules, click the icon next to your Step Up Authentication rule from the previous step. Click Save.
Learn more in Rule Management (page 268).
-