In my previous article on PingAccess I discussed how to setup scoped web sessions that allow you to provide specific attribute contracts to applications protected by PingAccess. In this article, I will discuss how to use Authentication Requirements to specify how authentication should happen for particular applications.
PingAccess uses PingFederate to handle the authentication, by using PingFederate as an OpenID Connect Identity Provider (IDP) while PingAccess acts in the role of Relying Party (RP), or as some of us call it in the SAML world - the Service Provider (SP). As always Ping Identity is about using standards to provide solutions that allow you to protect your resources.
Before we get into how to set this up; lets get a little background on how OpenID Connect makes this happen. The RP initiates a request to the IDP to authenticate the user and provide user claims (attributes); this is equivalent to an SP Init request in SAML/WS-Federation. As part of this request, the RP may request an Authentication Context Class Reference or acr (equivalent to AuthNRequest in SAML) that specifies how the user should be authenticated.
To leverage the acr option in PingAccess you need to define Authentication Requirements that specify an acr value or values. This definition is then used in the Resource configuration, where you specify which resource will require a specific authentication method. This is linked in with the web session you defined for the resource that specifies what client is used in PingFederate to handle the authentication, which we discussed last time.
In order to complete this cycle you need to configure in PingFederate the Requested AuthN Context Selector, an adapter selector that will look at the acr values provided. You then map to the proper adapter to handle the authentication for a specific acr value. And, of course, the selected adapter can be a Composite Adapter to give you a multi-factor authentication or just simply another adapter that provides a step-up authentication, if the user is already authenticated.
Hope you found this article helpful, if you have ideas for future topics or any questions please post them in the comments. Follow me on Twitter.