When using PingFederate authentication users are unable to login and the message "Access denied. Unable to authenticate user" is seen. 

Already verified that certificates are valid like in the article vCenter Login fails via PingFederate

vCenter 8.u3 or above

PingFederate configuration is missing client vSphere policy selector.

Configure PingFederate client vSphere policy selectors. 

Note, contact Ping Identity support for assistance with debugging and configuring Ping Federate.

PingFederate comes bundled with a set of authentication selectors. Authentication selectors provide a plugin capability for PingFederate to evaluate various conditions related to the requests.: