docs.pingidentity.com Open in urlscan Pro
3.219.111.8  Public Scan

URL: https://docs.pingidentity.com/bundle/pingfederate-110/page/dri1564003022949.html
Submission: On May 20 via manual from DE — Scanned from DE

Form analysis 3 forms found in the DOM

Name: searchForm

<form name="searchForm">
  <div class="searchbar">
    <i class="fa fa-search"></i>
    <div class="searchbar__input-container">
      <label>
        <input type="text" name="q" id="searchMobile" class="st-default-search-input" role="searchbox">
      </label>
      <div class="coveo-search-section" id="coveo-search-section">
      </div>
    </div>
  </div>
</form>

<form class="form-modal">
  <div class="modal-buttons">
    <p>Did you find this helpful?</p>
    <div class="modal-buttons-inner">
      <a data-selected="" role="button" class="pingFeedbackModalHtml_likeBtns__3olN5"><svg class="ico-thumb-up"><use xlink:href="#ico-thumb-up"></use></svg><span>Yes</span></a><a data-selected="" role="button" class="pingFeedbackModalHtml_likeBtns__3olN5"><svg class="ico-thumb-down"><use xlink:href="#ico-thumb-down"></use></svg><span>No</span></a>
    </div>
  </div>
  <div class="form-group"><label class="pingFeedbackModalHtml_modalLabel__2mhnB">Write your review<textarea class="form-control" placeholder="What did you like or dislike? How can we improve this topic?"></textarea></label></div>
  <div class="form-group"><label class="pingFeedbackModalHtml_modalLabel__2mhnB">Your email<input type="email" class="form-control" placeholder="Provide your e-mail if you'd like us to respond" value=""></label></div>
  <div class="modal-actions pingFeedbackModalHtml_actions__pFhQW"><button class="btn btn-primary btn-primary--alt zDocsFeedbackSubmitButton" type="submit">SEND FEEDBACK</button><button class="btn btn-outline btn-outline--alt "
      data-dismiss="modal">CANCEL</button></div>
</form>

<form class="form-modal">
  <div class="modal-buttons">
    <p>Did you find this helpful?</p>
    <div class="modal-buttons-inner">
      <a data-selected="" role="button" class="pingFeedbackModalHtml_likeBtns__3olN5"><svg class="ico-thumb-up"><use xlink:href="#ico-thumb-up"></use></svg><span>Yes</span></a><a data-selected="" role="button" class="pingFeedbackModalHtml_likeBtns__3olN5"><svg class="ico-thumb-down"><use xlink:href="#ico-thumb-down"></use></svg><span>No</span></a>
    </div>
  </div>
  <div class="form-group"><label class="pingFeedbackModalHtml_modalLabel__2mhnB">Write your review<textarea class="form-control" placeholder="What did you like or dislike? How can we improve this topic?"></textarea></label></div>
  <div class="form-group"><label class="pingFeedbackModalHtml_modalLabel__2mhnB">Your email<input type="email" class="form-control" placeholder="Provide your e-mail if you'd like us to respond" value=""></label></div>
  <div class="modal-actions pingFeedbackModalHtml_actions__pFhQW"><button class="btn btn-primary btn-primary--alt zDocsFeedbackSubmitButton" type="submit">SEND FEEDBACK</button><button class="btn btn-outline btn-outline--alt "
      data-dismiss="modal">CANCEL</button></div>
</form>

Text Content

We Respect Your Privacy

Please accept cookies to allow us to provide you with the best browsing
experience across our website. Find out more on how we use cookies and how you
can change your settings.

 * Allow All Cookies
 * Manage Settings

We Respect Your Privacy

By visiting our website, we may store or collect information to and from your
browser, many times in the form of cookies, which are small text files that
websites use to make a user experience more efficient. By law, cookies that are
necessary to support the functionality of a website do not require user consent.
All other types require your permission. You can change your cookie preferences
or withdraw your consent at any time on our website.


Learn more about how we process personal data and how you can contact us in our
Privacy Policy.

Your consent applies to the following domains: videos.pingidentity.com,
hub.pingidentity.com, download.pingidentity.com, docs.pingidentity.com,
4.pingidentity.com, apidocs.pingidentity.com, developer.pingidentity.com,
support.pingidentity.com, documentation.pingidentity.com, pingidentity.com


 * Necessary
 * Performance
 * Functionality
 * Targeting

 * Save
 * Privacy Policy

Close

 * Knowledge
 * Developer
 * Support


 * Sign On

 * Sign On

 * Jump Menu
   * Knowledge
   * Developer
   * Support
 * Home
 * Get Started
 * Make It Work
 * Read the Docs
 * Videos
 * TRY PING
    * 
    * 



This document

All documents
This document

 * Use * for wildcard searches (wildcar*)
 * Use ? to match a single character (gr?y matches grey and gray)
 * Use double quotes to find a phrase (“specific phrase”)
 * Use + for an exact match (+perform returns only perform)
 * Use - to exclude a word ( -excluded)
 * Use Boolean operators: AND, OR, NOT, and NEAR

Search tips
HomePingFederate Server...Administrator's Reference GuideBundled adaptersHTML
Form AdapterConfiguring an HTML Form Adapter instance
Close contents


PINGFEDERATE SERVER

 * Expand All

   --------------------------------------------------------------------------------

 * Collapse All

11.010.310.210.110.09.39.29.19.08.48.38.28.18.07.37.27.17.0
11.0
 * 11.0
 * 10.3
 * 10.2
 * 10.1
 * 10.0
 * 9.3
 * 9.2
 * 9.1
 * 9.0
 * 8.4
 * 8.3
 * 8.2
 * 8.1
 * 8.0
 * 7.3
 * 7.2
 * 7.1
 * 7.0

 * Release Notes
   * PingFederate 11.0.3 - May 2022
   * PingFederate 11.0.2 - March 2022
   * PingFederate 11.0.1 - January 2022
   * PingFederate 11.0 - December 2021
   * Known issues and limitations
   * Deprecated features
   * Previous releases
 * Introduction to PingFederate
   * About identity federation and SSO
   * Supported standards
     * Federation roles
     * Terminology
     * Browser-based SSO
       * SAML 1.x profiles
         * SSO—Browser-POST
         * SSO—Browser-Artifact
         * SP-initiated (destination-first) SSO
       * SAML 2.0 profiles
         * Single sign-on
           * SP-initiated SSO—POST-POST
           * SP-initiated SSO—Redirect-POST
           * SP-initiated SSO—Artifact-POST
           * SP-initiated SSO—POST-Artifact
           * SP-initiated SSO—Redirect-Artifact
           * SP-initiated SSO—Artifact-Artifact
           * IdP-initiated SSO—POST
           * IdP-initiated SSO—Artifact
         * Single logout
         * Attribute Query and XASP
         * Standard IdP Discovery
       * WS-Federation
       * About account linking
     * Web services standards
       * Web Services Security
       * WS-Trust
         * Request types
     * OAuth 2.0
       * Web redirect flow
       * Device authorization grant
       * CIBA grant
         * CIBA by poll
         * CIBA by ping
       * Token exchange grant
       * Assertion grant profile for OAuth 2.0 authorization grants
       * OpenID Connect support
       * Client management
     * System for Cross-domain Identity Management (SCIM)
     * Transport and message security
   * Integration overview
     * Bundled adapters and authenticators
     * Additional integrations
     * SSO integration concepts
     * Identity provider integration
     * Service provider integration
   * Security token service
   * OAuth authorization server
   * User account management
   * Enterprise deployment features
   * Additional features
   * Key concepts
     * WS-Trust STS
       * Connection-based policy
       * Token processors and generators
       * WSC and WSP support
       * STS OAuth integration
     * About OAuth
       * Delegated access types
       * Token models and management
       * Grant types
       * Scopes
       * Consent approval
       * Client management and storage
       * Client authentication schemes
       * Dynamic client registration
       * Transient grants and persistent grants
       * Grant storage and management
       * Mapping OAuth attributes
       * OAuth user-facing windows
       * OpenID Connect
       * CORS support for OAuth endpoints
     * Bundled adapters and authenticators
     * Security infrastructure
       * Digital signatures
         * Message signing
         * Certificate validation
         * Digital signing policy coordination
       * Secure sockets layer
       * Encryption
     * Hierarchical plugin configurations
     * Identity mapping
       * Account linking
       * Account mapping
     * User attributes
       * Attribute contracts
       * Adapter contracts
       * STS token contracts
       * Datastores
       * Attribute masking
       * Token authorization
     * User provisioning
       * Outbound provisioning for IdPs
       * Provisioning for SPs
     * Customer identity and access management
     * Federation hub use cases
       * Bridging an IdP to an SP
       * Bridging an IdP to multiple SPs
       * Bridging multiple IdPs to an SP
       * Bridging multiple IdPs to multiple SPs
       * Federation hub and authentication policy contracts
       * Federation hub and virtual server IDs
     * Federation planning checklist
       * Multiple virtual server IDs
       * Configuration data exchange
 * Installing PingFederate
   * System requirements
     * Compatible database drivers
     * Port requirements
   * Installing Java
   * Installing PingFederate 11.0
 * Uninstalling PingFederate
   * Uninstalling PingFederate from a Windows server
   * Uninstalling PingFederate from a Linux server
 * Upgrading PingFederate
   * Downloading PingFederate
   * Preparing to upgrade PingFederate
   * Upgrade considerations
     * Upgrade considerations introduced in PingFederate 11.x
     * Upgrade considerations introduced in PingFederate 10.x
     * Upgrade considerations introduced in PingFederate 9.x
     * Upgrade considerations introduced in PingFederate 8.x
     * Upgrade considerations introduced in PingFederate 7.x
     * Upgrade considerations introduced in PingFederate 6.x
   * Upgrading PingFederate installations
   * Custom mode in the Upgrade Utility
   * Post-upgrade tasks
     * Reviewing administrative users
     * Copying customized files or settings
     * Reviewing database changes
       * Provisioning datastore reset
       * Security enhancement in JDBC datastore queries
       * New connection pool library
       * An improved index in the database table for OAuth clients
       * Changes in the database tables for log messages
       * Changes in the database table for account linking
       * Changes in the database tables for OAuth clients
       * Changes in the database tables for OAuth persistent grants and extended
         attributes
       * A new database table for OAuth persistent grant extended attributes
       * New indexes in the database table for OAuth persistent grants
       * Changes in a database table supporting nested group membership
     * Logging configurations
     * Migrating other components
       * Updating the custom authentication selector
       * Migrating to the integrated LDAP Username PCV
       * Migrating to the integrated Username Token Processor
     * Resetting files and variable for HSM
     * Verifying the new installation
   * Updating to the latest maintenance release
 * Getting Started with PingFederate
   * Starting and stopping PingFederate
   * Opening the PingFederate administrative console
   * Setting up PingFederate
   * PingFederate administrative console
     * Navigation tabs and menus
     * Customizing shortcuts
     * Tasks and steps
     * Console buttons
   * Third-party cryptographic solutions
     * Supported hardware security modules
       * Integrating with AWS CloudHSM
         * AWS CloudHSM operational notes
       * Integrating with Thales Luna Network HSM
         * SafeNet Luna Network HSM operational notes
       * Integrating with Entrust nShield Connect HSM
         * nShield Connect HSM operational notes
     * Supported software security package
       * Integrating with Bouncy Castle FIPS provider
         * Setting up with Java 8 or Java 11
         * Bouncy Castle operational notes
 * Server Clustering Guide
   * Overview of clustering
   * Cluster protocol architecture
   * Runtime state-management architectures
     * Adaptive clustering
       * Multi-region support
       * Configuring multi-region support
     * Directed clustering
       * Sharing all nodes
       * Designating state servers
       * Defining subclusters
   * Runtime state-management services
     * Inter-Request State-Management (IRSM) Service
     * IdP Session Registry Service
     * SP Session Registry Service
     * LRU memory management schemes
     * Assertion Replay Prevention Service
     * Artifact-Message Persistence and Retrieval Service
     * Back-Channel Session Revocation Service
     * Account Locking Service
     * Other services
   * Deploying cluster servers
     * Dynamic cluster discovery
       * Enabling dynamic discovery for clustering
       * Migrating cluster discovery settings
   * Deploying provisioning failover
   * Configuration synchronization
     * Console configuration push
     * Configuration-archive deployment
 * Administrator's Reference Guide
   * Attribute mapping expressions
     * Enabling and disabling expressions
     * Construct OGNL expressions
       * Sample OGNL expressions
         * Issuance criteria and multiple virtual server IDs
         * Expressions for OAuth and OpenID Connect uses cases
     * Using the OGNL edit window
   * Authentication policies
     * Selectors
       * Managing authentication selector instances
         * Choosing a selector type
         * Configuring an authentication selector instance
           * Configuring the CIDR Authentication Selector
           * Configuring the Cluster Node Authentication Selector
           * Configuring the Connection Set Authentication Selector
           * Configuring the Extended Property Authentication Selector
           * Configuring the HTTP Header Authentication Selector
           * Configuring the HTTP Request Parameter Authentication Selector
           * Configuring the OAuth Client Set Authentication Selector
           * Configuring the OAuth Scope Authentication Selector
           * Configuring the Requested AuthN Context Authentication Selector
           * Configuring the Session Authentication Selector
             * Configuring a sample use case
     * Policies
       * Defining authentication policies
       * Specifying incoming user IDs
       * Configuring rules in authentication policies
         * Defining authentication policies based on group membership
           information
       * Applying policy contracts or identity profiles to authentication
         policies
         * Configuring contract mapping
         * Configuring local identity mapping
         * Defining issuance criteria for contract or local identity mapping
       * Mapping a policy contract to multiple use cases
       * SP authentication policies
         * Configuring an SP authentication policy for users from one IdP
         * Configuring SP authentication policies for users from multiple IdPs
         * Configuring SP authentication policies for internal users
     * Policy fragments
       * Defining a policy fragment
     * Policy contracts
       * Managing policy contracts
       * Editing contract information
       * Defining contract attributes
       * Reviewing the policy contract
     * Adapter Mappings
       * Configuring authentication policy adapter mappings
       * Defining issuance criteria for adapter mapping
     * Sessions
       * Configuring tracking options for logout
       * Configuring application sessions
       * Configuring authentication sessions
   * Bundled adapters
     * Composite Adapter
       * Configuring a Composite Adapter instance
     * HTML Form Adapter
       * Configuring an HTML Form Adapter instance
         * HTML Form Adapter advanced fields
     * HTTP Basic Adapter
       * Configuring an HTTP Basic Adapter instance
     * Identifier First Adapter
       * Configuring an Identifier First Adapter instance
       * Identifier First Adapter and authentication policies
         * Configuring a policy for multiple user populations
     * Kerberos Adapter
       * Authentication mechanism assurance
       * Configuring a Kerberos Adapter instance for SSO authentication
       * Configuring end-user browsers
     * OpenToken Adapter
       * Configuring an OpenToken IdP Adapter instance
       * Configuring an OpenToken SP Adapter instance
     * Configuring a Reference ID adapter
     * Configuring an X.509 Certificate IdP adapter
   * Customer IAM configuration
     * Setting up PingDirectory for customer identities
     * Managing local identity profiles
     * Configuring local identity profiles
       * Defining authentication sources
       * Configuring local identity fields
       * Configuring email ownership verification options
       * Configuring registration options
       * Configuring profile management options
       * Managing datastore configuration
       * Reviewing a local identity profile
     * Configuring the HTML Form Adapter for customer identities
     * Setting up self-service registration
       * Configuring third-party identity providers
       * Enabling profile management
       * Creating advanced registration mapping
     * Enabling third-party identity providers without registration
   * Customizing assertions and authentication requests
     * Message types and available variables
     * Sample customizations
   * Fulfillment by datastore queries
     * Attribute mapping with multiple data sources
     * Datastore query configuration
       * Choosing a datastore
       * Specifying database tables and columns
       * Entering a database search filter
       * Specifying directory properties and attributes
       * Defining encoding for binary attributes
       * Entering a directory search filter
       * Specifying data source filters and fields
         * Specifying data source filters for REST API datastores
         * Specifying a dynamic authorization header for a REST API datastore
         * Specifying filters and fields for a custom datastore
       * Configuring failsafe options
       * Reviewing datastore query configurations
   * IdP-to-SP bridging
     * Adapter-to-adapter mappings
       * Managing mappings
       * Assigning a license group
       * Configuring attribute sources and user lookup for adapter-to-adapter
         mappings
       * Configuring target application information
       * Configuring contract fulfillment for adapter-to-adapter mappings
       * Configuring a default target URL (optional)
       * Defining issuance criteria for adapter-to-adapter mappings
       * Reviewing the adapter-to-adapter mapping
     * Token translator mappings
       * Managing token mappings
       * Configuring attribute sources and user lookup for token mapping
       * Configuring contract fulfillment for token exchange mapping
       * Defining issuance criteria for token translator mapping
       * Reviewing the token exchange mapping
   * Identity provider SSO configuration
     * IdP application integration settings
       * Managing IdP adapters
         * Creating an IdP adapter instance
         * Configuring an IdP adapter instance
         * Invoking IdP adapter actions
         * Extending an IdP adapter contract
         * Setting pseudonym and masking options
         * Defining the IdP adapter contract
           * Defining attribute sources and user lookup
           * Configuring IdP adapter contract fulfillment
           * Defining issuance criteria for IdP adapter contract
           * Reviewing an IdP adapter contract
         * Reviewing and saving an IdP adapter configuration
       * Authentication applications and the authentication API
         * Managing authentication applications
         * Configuring authentication applications
       * Configuring a default URL and error message
       * Viewing IdP application endpoints
     * IdP protocol endpoints
     * SP connection management
       * Accessing SP connections
       * Resolving SP connection errors
       * Importing a connection
       * Updating a SAML connection using metadata
       * Choosing an SP connection template
       * Choosing an SP connection type
       * Choosing SP connection options
       * Importing SP metadata
       * Identifying the SP
       * Populating extended property values for SP connections
       * Configure IdP Browser SSO
         * Choosing SAML 2.0 profiles
         * Setting an SSO token lifetime
         * Configuring SSO token creation
           * Choosing an identity mapping method for IdP SSO
             * Selecting a SAML Name ID type
             * Selecting a WS-Federation Name ID type
           * Setting up an attribute contract
           * Managing authentication source mappings
             * Mapping an adapter instance
             * Mapping an authentication policy
             * Overriding an IdP adapter instance
             * Restricting an authentication source to certain virtual server
               IDs
             * Selecting an attribute mapping method
             * Configuring default contract fulfillment for IdP Browser SSO
             * Defining issuance criteria for IdP Browser SSO
             * Configuring attribute sources and user lookup
             * Configuring contract fulfillment for IdP Browser SSO
             * Reviewing the authentication source mapping
           * Reviewing the SSO token creation summary
         * Configuring protocol settings
           * Setting Assertion Consumer Service URLs (SAML)
           * Setting a default target URL (SAML 1.x)
           * Specifying the WS-Trust version
           * Defining a service URL (WS-Federation)
           * Specifying SLO service URLs (SAML 2.0)
           * Choosing allowable SAML bindings (SAML 2.0)
           * Setting an artifact lifetime (SAML)
           * Specifying artifact resolver locations (SAML 2.0)
           * Defining signature policy (SAML)
           * Configuring XML encryption policy (SAML 2.0)
           * Reviewing protocol settings
         * Reviewing browser-based SSO settings
       * Configuring the Attribute Query profile in an SP connection
         * Defining retrievable attributes
         * Configuring attribute lookup
         * Choosing a datastore for Attribute Query
         * Configuring mapping fulfillment for Attribute Query
         * Defining issuance criteria for Attribute Query
         * Specifying security policy
         * Reviewing the Attribute Query configuration
       * Configuring credentials
         * Configuring back-channel authentication (SAML)
           * Configuring authentication requirements for outbound messages
           * Configuring authentication requirements for inbound messages
         * Configuring digital signature settings
         * Configuring signature verification settings (SAML 2.0)
         * Selecting an encryption certificate
         * Selecting a decryption key (SAML 2.0)
         * Reviewing SP credential settings
       * Configuring outbound provisioning
         * Defining a provisioning target
         * Specifying custom SCIM attributes
         * Managing channels
         * Specifying channel information
         * Identifying the source datastore
         * Modifying source settings
         * Specifying a source location
         * Mapping attributes
           * Specifying mapping details
         * Reviewing channel settings
       * Reviewing SP connection settings
     * SP affiliations
       * Managing SP affiliations
       * Importing affiliation metadata
       * Entering affiliation information
       * Managing affiliation membership
       * Reviewing an SP affiliation
   * OAuth configuration
     * Configuring OAuth use cases
     * Configuring authorization server settings
       * External consent user interface
     * Scopes and scope management
       * Defining scopes
     * Adding virtual issuers for OpenID Connect
     * Configuring client settings
       * Configuring dynamic client registration settings
         * Supported client metadata
       * Configuring scope constraints
       * Managing client configuration defaults
       * Selecting client registration policies
       * Reviewing client settings
     * Managing Client Registration Policy instances
       * Configuring a Client Registration Policy instance
         * Configuring a Response Type Constraints instance
     * Managing OAuth clients
       * Configuring OAuth clients
     * Grant contract mapping
       * Managing IdP adapter grant mapping
         * Configuring IdP adapter attribute sources and user lookup
         * Fulfilling IdP adapter grant mapping
         * Defining issuance criteria for OAuth IdP adapter mapping
         * Reviewing the IdP adapter mapping
       * Configuring IdP connection grant mapping
         * Choosing an OAuth datastore
         * Fulfilling OAuth attribute mapping
         * Defining issuance criteria for OAuth attribute mapping
         * Reviewing the OAuth attribute mapping summary
       * Managing authentication policy contract grant mapping
         * Configuring policy contract attribute sources and user lookup
         * Fulfilling policy contract grant mapping
         * Defining issuance criteria for policy contract mapping
         * Reviewing authentication policy contract mapping
       * Managing resource owner credentials grant mapping
         * Configuring resource owner attribute sources and user lookup
         * Fulfilling resource owner credentials grant mapping
         * Defining issuance criteria for resource-owner credentials mapping
         * Reviewing the resource owner credentials mapping
     * Token mapping
       * Access token management
         * Managing access token management instances
         * Defining an access token management instance
         * Configuring an access token management instance
           * Configuring reference-token management
           * Configuring JSON-token management
         * Managing session validation settings
         * Defining the access token attribute contract
         * Managing resource URIs
         * Defining access control
         * Reviewing the access token management configuration
       * Managing access token mappings
         * Configuring access token attribute sources and user lookup
         * Configuring access token fulfillment
         * Defining issuance criteria for access token mapping
         * Reviewing the access token mapping
       * Configuring an OAuth assertion grant IdP connection
         * Defining an attribute contract for the OAuth assertion grant
         * Configuring access token manager mappings
           * Selecting an access token manager instance
           * Configuring a datastore for OAuth assertion grant attribute mapping
           * Configuring OAuth assertion grant contract fulfillment
           * Defining issuance criteria for OAuth assertion grants
           * Reviewing OAuth assertion grant attribute mapping configuration
         * Reviewing OAuth assertion grant configuration
       * Configuring OpenID Connect policies
         * Configuring policy and ID token settings
         * Configuring the policy attribute contract
         * Configuring attribute scopes
         * Configuring policy attribute sources and user lookup
         * Configuring ID token fulfillment
         * Defining issuance criteria for policy mapping
         * Reviewing your OpenID Connect policy
     * Client Initiated Backchannel Authentication (CIBA)
       * Managing CIBA authenticators
         * Configuring a CIBA authenticator instance
       * Managing CIBA request policies
         * Defining a request policy
         * Configuring identity hint contract
         * Configuring identity hint contract fulfillment
           * Configuring attribute sources and user lookup
           * Fulfilling identity hint contract
           * Defining issuance criteria for identity hint contract
           * Reviewing identity hint contract fulfillment
         * Configuring attribute sources and user lookup for request policy
           contract
         * Configuring request policy contract fulfillment
         * Defining issuance criteria for CIBA request policy
         * Reviewing your CIBA request policy
     * OAuth attribute mapping using a datastore
     * OAuth client session management
       * Asynchronous Front-Channel Logout
       * Back-Channel Session Revocation
     * OAuth token exchange
       * Configuring OAuth token exchange
         * Defining token exchange processor policies
         * Creating token exchange generator groups
         * Mapping token exchange attributes to token generator attributes
         * Mapping token exchange attributes to access token manager attributes
         * Enabling token exchange in OAuth clients
   * Security management
     * Certificate and key management
       * Manage trusted certificate authorities
       * Manage SSL server certificates
       * Manage SSL client keys and certificates
       * Manage digital signing certificates and decryption keys
       * Keys for OAuth and OpenID Connect
         * Configuring static signing keys
         * Configuring static decryption keys
         * Mapping ID token signing keys to virtual issuers
       * Managing certificates from partners
       * Configuring certificate revocation
       * Transitioning to an HSM
       * Manage Partner metadata URLs
       * Rotating system keys
       * Managing configuration encryption keys
     * System integration
       * Configuring redirect validation
         * Managing partner redirect validation
       * Configuring incoming proxy settings
       * Configuring service authentication
     * Account lockout protection
       * Configuring account lockout protection
     * Password spraying prevention
       * Configuring password spraying prevention
     * Implementing a MasterKeyEncryptor using AWS KMS
   * Self-service user account management
     * Configuring self-service password management
     * Configuring self-service account recovery
     * Configuring self-service user name recovery
   * Service provider SSO configuration
     * SP application integration settings
       * Managing SP adapters
         * Creating an SP adapter instance
         * Configuring an SP adapter instance
         * Invoking SP adapter actions
         * Extending an SP adapter contract
         * Identifying the target application
         * Reviewing an SP adapter configuration
       * Configuring target URL mapping
       * Configuring Identity Store Provisioners
         * Creating an Identity Store Provisioner instance
         * Defining the Identity Store Provisioner behavior
         * Extending the Identity Store Provisioner contract
         * Extending the Identity Store Provisioner contract for groups
         * Reviewing the Identity Store Provisioner configuration
       * Configuring default URLs
       * Viewing SP application endpoints
     * Federation settings
       * Managing attribute requester mappings
       * Viewing SP protocol endpoints
     * Managing IdP connections
       * Accessing IdP connections
       * Resolving IdP connection errors
       * Choosing an IdP connection type
       * Choosing IdP connection options
       * Importing IdP metadata
       * Identifying the partner
       * Populating extended property values for IdP connections
       * Defining additional issuers
       * Configure SP Browser SSO
         * Selecting SAML profiles
         * Configuring user-session creation
           * Choosing an identity mapping method for SP SSO
           * Defining an attribute contract
           * Managing target session mappings
             * Selecting a target session
             * Overriding an SP adapter instance
             * Restricting a target session to certain virtual server IDs
             * Choosing an attribute mapping method
             * Configuring target session fulfillment
             * Defining issuance criteria for SP Browser SSO
             * Reviewing the target session mapping
           * Reviewing the session creation summary
         * Configuring protocol settings
           * Specifying SSO service URLs (SAML)
           * Specifying a service URL (WS-Federation)
           * Defining SLO service URLs (SAML 2.0)
           * Selecting allowable SAML bindings (SAML)
           * Specifying an artifact lifetime (SAML 2.0)
           * Defining artifact resolver locations (SAML)
           * Configuring OpenID Provider information
           * Configuring default target URLs
             * Overriding authentication context in an IdP connection
           * Configuring signature policy
           * Specifying XML encryption policy (for SAML 2.0)
           * Reviewing protocol settings for SP browser SSO
         * Reviewing Browser SSO settings
       * Manage the Attribute Query profile in an IdP connection
         * Setting the Attribute Authority Service URL
         * Mapping attribute names for Attribute Query
         * Configuring security policy for Attribute Query
         * Reviewing the Attribute Query settings
       * Configuring just-in-time provisioning
         * Selecting attribute sources (SAML 2.0)
         * Identifying the user repository
         * Specifying an LDAP user-record location
         * Entering an LDAP filter
         * Identifying provisioning attributes for LDAP
         * Choosing a SQL method
         * Specifying a database user-record location
         * Specifying a unique ID database column
         * Specifying a stored procedure location
         * Mapping attributes to a user account
         * Choosing an event trigger
         * Configuring an error handling method
         * Reviewing the JIT provisioning configuration
       * Configuring SCIM inbound provisioning
         * Specifying the user repository
         * Identifying an LDAP user-record location
         * Defining a unique user ID
         * Defining a unique group ID
         * Defining custom SCIM attributes
           * Configuring custom SCIM attribute options
         * Writing user information to the datastore
           * Identifying inbound provisioning attributes for LDAP
           * Mapping attributes to user accounts
           * Reviewing user mapping (Write Users) configuration
         * Configuring a SCIM response
           * Identifying expected user attributes for the SCIM response
           * Identifying LDAP attributes for the SCIM response
           * Mapping attributes into the SCIM response
           * Reviewing SCIM response (Read Users) configuration
         * Configuring the handling of SCIM delete requests
         * Writing group information to the datastore
           * Identifying inbound provisioning group attributes for LDAP
           * Mapping attributes to groups
           * Reviewing group mapping (Write Groups) configuration
         * Configuring a SCIM response for groups
           * Identifying expected group attributes for the SCIM response
           * Identifying LDAP group attributes for the SCIM response
           * Mapping group attributes into SCIM response
           * Reviewing SCIM response for groups (Read Groups) configuration
         * Reviewing the inbound provisioning configuration
       * Configuring security credentials
         * IdP connection management
           * Configuring back-channel authentication for outbound messages
           * Configuring back-channel authentication for inbound messages
         * Managing digital signature settings
         * Managing signature verification settings
         * Choosing an encryption certificate (SAML 2.0)
         * Choosing a decryption key (SAML 2.0)
         * Reviewing IdP credential settings
       * Reviewing an IdP connection
     * OpenID Connect Relying Party support
       * Creating an OpenID Connect IdP connection
       * Configuring request parameters and SSO URLs
         * Query parameters versus request object
     * Configuring IdP discovery using a persistent cookie
   * System administration
     * Configuring PingFederate properties
     * Configuring size limits
     * PingFederate log files
       * Log4j 2 logging service and configuration
       * HTTP request logging
       * Administrator audit logging
       * API audit logging
         * Administrative API audit log
         * Runtime APIs audit log
       * Runtime transaction logging
       * Security audit logging
       * Outbound provisioning audit logging
       * Server logging
         * Server log filter
       * Logging in other formats
         * Writing logs to databases
         * Logging in Common Event Format
           * Writing audit log in CEF
           * Writing provisioner audit log in CEF
         * Writing audit log for Splunk
     * Alternative console authentication
       * Enabling OIDC-based authentication
       * Enabling LDAP authentication
       * Enabling RADIUS authentication
         * Multi-factor console authentication using PingID
           * Solution overview
           * Configuring your PingID account
           * Creating an LDAP Username Password Credential Validator instance
           * Configuring a PingID Password Credential Validator instance
           * Configuring PingFederate to use RADIUS authentication
           * Verifying your setup
       * Enabling certificate-based authentication
     * Configuring automatic connection validation
     * Automating configuration migration
       * Copying the key from the source to the target server
       * Administrative console migration
       * Using the migration tool
     * Outbound provisioning CLI
     * Customizable user-facing pages
       * IdP user-facing pages
       * SP user-facing pages
       * Either IdP or SP user-facing pages
       * OAuth user-facing pages
     * Customizable email notifications
       * Local administrative account management events
       * Certificate events
       * SAML metadata update events
       * Licensing events
       * HTML Form Adapter events
     * Customizable text message
     * Localizing messages for end users
       * Locale overrides by cookies
       * Retrieval of localized messages
     * Configuring a password policy
     * Managing cipher suites
     * Manage externally stored authentication sessions
       * Managing authentication sessions stored in the database
       * Managing authentication sessions stored in PingDirectory
     * OAuth persistent grants cleanup
       * Managing expired persistent grants
       * Managing expired persistent grants in PingDirectory
       * Managing cleanup of persistent grants
     * Specifying the domain of the PF cookie
     * Specifying the domain of the PF.PERSISTENT cookie
     * Extending the lifetime of the PingFederate cookie
     * Configuring forward proxy server settings
     * Adding custom HTTP response headers
     * Configuring validation for the AudienceRestriction element
     * Customizing the OpenID Provider configuration endpoint response
     * Customizing the heartbeat message
     * Customizing the favicon for application and protocol endpoints
     * Configuring the behavior of searching multiple datastores with one
       mapping
   * System settings
     * Server
       * Protocol settings
         * Specifying federation information
         * Configuring WS-Trust settings
         * Configuring outbound provisioning settings
         * Configuring standard IdP Discovery
         * Reviewing protocol settings
       * Administrative accounts
         * Enabling native authentication for the administrative console
         * Managing local accounts and role assignments
         * Enabling notification messages for account management events
         * Setting or resetting passwords
         * Changing passwords
       * License management
         * Reviewing license information
         * Requesting a new license key
         * Installing a license key on a new or upgraded PingFederate server
         * Installing a replacement license key
         * Configuring notification for licensing events
       * Configuration archive
         * Configuring a backup schedule
         * Exporting an archive
         * Importing and deploying administrative console configuration data
       * Cluster management
         * Replicating configuration
       * Virtual host names
         * Configuring virtual host names
       * Extended properties
         * Defining extended properties
     * Metadata
       * Metadata settings
         * Entering system information
         * Configuring metadata signing
         * Configuring metadata lifetime
         * Reviewing metadata settings
       * Metadata export
         * Exporting connection-specific SAML metadata
         * Exporting selected SAML metadata
       * File signing
         * Signing XML files
     * Monitoring and notifications
       * Runtime notifications
       * Configuring runtime notifications
     * Datastores
       * Adding a new datastore
       * Configuring a JDBC connection
       * Configuring an LDAP connection
         * Setting advanced LDAP options
         * Proxied authorization
         * Configuring the account usability control ACI
         * Configuring the password validation details request control ACI
         * Defining a custom LDAP type for outbound provisioning
       * Configuring other types of datastores
         * Configuring a REST API datastore
         * Configuring a custom datastore
       * Defining a datastore for persistent authentication sessions
         * Configuring an external database for authentication sessions
         * Configuring PingDirectory for authentication sessions
         * Using custom solutions for persistent session storage
       * OAuth grant datastores
         * Configuring external databases for grant storage
         * Configuring directories for grant storage
         * Indexing grant attributes in PingDirectory
         * Using custom solutions for grant storage
       * OAuth client datastores
         * Configuring external databases for client storage
         * Configuring directories for client storage
         * Indexing client attributes in PingDirectory
         * Using custom solutions for client storage
       * Account-linking datastores
         * Configuring external databases for account-link storage
         * Configuring directories for account-link storage
     * Password Credential Validators
       * Choosing a Password Credential Validator
       * Password Credential Validator instance configurations
       * Configuring the LDAP Username Password Credential Validator
       * Configuring the PingOne for Enterprise Directory Password Credential
         Validator
       * Configuring the RADIUS Username Password Credential Validator
       * Configuring the Simple Username Password Credential Validator
       * Extending the contract for the credential validator
       * Finishing the Password Credential Validator instance configuration
     * Active Directory and Kerberos
       * Configuring Active Directory domains or Kerberos realms
       * Multiple-domain support
       * Configuring the Active Directory environment
       * Adding domains
       * Managing domain connectivity settings
     * External systems
       * Connections to PingOne
         * Creating connections to PingOne
         * Modifying connections to PingOne
       * Connections to PingOne for Enterprise
         * Configuring identity repository settings
         * Use Cases
           * Configuring the RADIUS server to integrate PingID with your VPN
           * Configuring provisioning to PingID
           * Reviewing the PingID VPN (RADIUS) configuration
         * Confirmation
         * Complete
         * Managing PingOne for Enterprise settings
         * Configuring SSO from the PingOne for Enterprise admin portal to the
           PingFederate administrative console
         * Monitoring PingFederate from the PingOne for Enterprise admin portal
         * Updating the PingOne for Enterprise identity repository
       * Managing CAPTCHA settings
       * Managing SMS provider settings
       * Managing notification publisher instances
         * Defining a notification publisher instance
         * Notification publisher instance configurations
           * Configuring an Amazon SNS Notification Publisher instance
             * Event types and variables
           * Configuring an SMTP Notification Publisher instance
           * Finalizing actions for a notification publisher instance
           * Reviewing a notification publisher instance configuration
       * Secret managers
         * Integrating with the CyberArk Credential Provider
         * CyberArk's authentication methods
         * Configuring instances of the secret manager plugin for the CyberArk
           Credential Provider
         * Using passwords in secret managers to access datastores
     * Configuring general settings
   * Configuring the RADIUS server to integrate PingID with your VPN
   * Troubleshooting
     * Enabling debug messages and console logging
     * Resolving startup issues
     * Troubleshooting data store issues
     * Resolving URL-related errors
     * Resolving service-related errors
     * Troubleshooting authentication policy issues
     * Troubleshooting registration and profile management issues
     * Troubleshooting runtime errors
       * Activating tracking ID in templates
       * Correlating log messages by PF cookie
       * Correlating log messages by tracking ID
       * Correlating PingFederate events with PingDirectory LDAP activities
     * Troubleshooting OAuth transactions
       * Reviewing an OAuth request and various OAuth settings
     * Other runtime issues
     * Collecting support data
   * WS-Trust STS configuration
     * Server settings
       * Enabling the WS-Trust protocol
       * Configuring STS authentication
     * Identity provider STS configuration
       * Managing token processors
         * Selecting a token processor type
         * Configuring a token processor instance
         * Configuring a Username Token Processor instance
         * Configuring a Kerberos Token Processor instance
         * Configuring an OAuth Token Processor instance
         * Configuring a JSON Web Token Processor instance
         * Configuring a SAML Token Processor instance
         * Extending a token processor contract
         * Setting attribute masking
         * Reviewing the token processor configuration
       * Managing STS request parameters
         * Creating a request contract
       * Configuring SP connections for STS
         * Configuring protocol settings for IdP STS
         * Setting a token lifetime
         * Configuring token creation
           * Defining an attribute contract for IdP STS
           * Selecting a request contract
           * Managing IdP token processor mappings
             * Selecting a token processor instance
             * Overriding a token processor instance
             * Restricting a token processor to certain virtual server IDs
             * Selecting an attribute retrieval method for token creation
             * Configuring attribute sources and user lookup for token creation
             * Configuring contract fulfillment for token creation
             * Defining issuance criteria for token creation
             * Reviewing the IdP token processor mapping
           * Selecting a request error handling method
           * Reviewing the token creation configuration
         * Reviewing the IdP STS settings
     * Service provider STS configuration
       * Managing token generators
         * Selecting a token generator type
         * Configuring a token generator instance
         * Extending a token generator contract
         * Reviewing the token generator configuration
       * Configuring IdP connections for STS
         * Configuring protocol settings for SP STS
         * Configuring token generation
           * Defining an attribute contract for SP STS
           * Managing SP token generator mappings
             * Selecting a token generator instance
             * Overriding a token generator instance
             * Restricting a token generator to certain virtual server IDs
             * Selecting an attribute retrieval method for token generation
             * Configuring contract fulfillment for token generation
             * Defining issuance criteria for token generation
             * Reviewing the SP token generator mapping
           * Reviewing the token generation configuration
         * Reviewing the SP STS configuration
 * Performance Tuning Guide
   * Logging
   * Operating system tuning
     * Linux tuning
     * Windows tuning
   * Concurrency
     * Tuning the acceptor queue size
     * Tuning the server thread pool
     * Configuring connection pools to datastores
   * Memory
     * JVM heap
     * Garbage collectors
     * Young generation bias
     * The memoryoptions utility
       * memoryoptions and installation
       * memoryoptions and upgrade
       * Restoring the preserved JVM
       * Fine-tuning JVM options
   * Hardware security modules
   * Configuration at scale
   * References
 * PingFederate Monitoring Guide
   * Liveliness and responsiveness
   * Resource metrics
     * Runtime monitoring using JMX
     * Connecting with JMX
       * Connecting to a local process
       * Connecting to a remote process
   * Monitoring
   * Thread pool
   * Logging, reporting, and troubleshooting
     * Creating an error-only server log
     * Splunk dashboards and audit logs
 * SDK Developer's Guide
   * SDK directory structure
   * Developing your own plugin
   * Implementation guidelines
     * Shared plugin interfaces
     * Developing IdP adapters
     * Developing SP adapters
     * Developing token processors
     * Developing token generators
     * Developing authentication selectors
     * Developing data source connectors
     * Developing password credential validators
     * Developing identity store provisioners
       * IdentityStoreProvisionerWithFiltering interface implementation
       * IdentityStoreUserProvisioner interface implementation
     * Developing notification publishers
     * Building and deploying with Ant
     * Building and deploying manually
     * Log messages
 * Developer's Reference Guide
   * OAuth 2.0 endpoints
     * Authorization endpoint
     * Client-initiated backchannel authentication endpoint
     * Token endpoint
       * OAuth grant type parameters
     * Introspection endpoint
     * Token revocation endpoint
     * Grant-management endpoint
     * Dynamic client registration endpoint
     * Device authorization endpoint
     * User authorization endpoint
     * OpenID Provider configuration endpoint
     * UserInfo endpoint
     * Pushed authorization requests endpoint
     * OAuth Playground
   * Web service interfaces and APIs
     * Connection Management Service
       * Exporting a connection
       * Importing connections
       * Deleting connections
       * Cluster configuration replication
       * Validation disclaimer
     * SSO Directory Service
       * Coding example
     * SOAP request and response examples
     * OAuth Client Management Service
     * OAuth Access Grant Management Service
     * OAuth Persistent Grant Management API
     * Session Management API by session identifiers
     * Session Management API by user identifiers
     * Session Revocation API endpoint
     * PingFederate administrative API
       * Configure access to the administrative API
         * Enabling native authentication for the administrative API
         * Enabling LDAP authentication
         * Enabling RADIUS authentication
         * Enabling certificate-based authentication
         * Enabling OAuth 2.0 authorization
       * Accessing the API interactive documentation
   * Application endpoints
     * IdP endpoints
     * SP endpoints
       * SP services
       * SCIM inbound provisioning endpoints
     * System-services endpoints
       * Constructing an alternative metadata exchange endpoint
   * Authentication API
     * Exploring the authentication API
     * Mobile application authentication through REST APIs
   * Development of authentication API-capable adapters and selectors
     * Authentication API states, actions, and models
     * Specification of the plugin API
     * State model contents
     * Non-interactive plugins
     * Runtime behavior implementation
     * Session state management
     * Error messages and localization

Contents

 * Feedback
   
   
 * PDF
   * Save all as PDF
   * Save page as PDF
   * Save section as PDF
 * More
   You are not authorized to view this content
   You are not authorized to view this content
 * Previous
 * Next


CONFIGURING AN HTML FORM ADAPTER INSTANCE

 * Page created:  July 16, 2021

 * Page updated:  November 16, 2021

 * 14 min read

 * PingFederate
 * 11.0
 * User task
 * Software
 * Product documentation
 * Product
 * Deployment Method
 * Content Type
 * Configuration
 * Audience
 * Administrator


CONFIGURING AN HTML FORM ADAPTER INSTANCE

In the IdP Adapters window, configure an HTML Form Adapter instance to validate
a user authentication session with a Password Credential Validator (PCV) when
your initial authentication needs to integrate with an external application or
an identity management system (IdM) authentication module.


STEPS

 1. Go to Authentication → Integration → IdP Adapters.
 2. On the IdP Adapters window, click Create New Instance to start the Create
    Adapter Instance configuration.
 3. On the Type tab, configure the basics of this adapter instance:
    1. Enter the instance name and ID.
    2. In the Type list, select the adapter type.
    3. Optional: In the Parent Instance list, select an existing type.
       
       If you are creating an instance that is similar to an existing instance,
       you might consider making it a child instance by specifying a parent. A
       child instance inherits the configuration of its parent unless
       overridden. You can specify overrides during the rest of the setup.
 4. On the IdP Adapter tab, configure your HTML Form Adapter instance as
    follows:
    1. If you have not yet defined the desired Password Credential Validator
       instance, click Manage Password Credential Validators to do so.
    1. Click Add a new row to 'Credential Validators' to select a
       credential-authentication mechanism instance for this adapter instance.
    1. From the Password Credential Validator Instance list, select a Password
       Credential Validator instance. Click Update. Add as many validators as
       necessary. Use the up and down arrows to adjust the order in which you
       want PingFederate to attempt credential authentication. If the first
       mechanism fails to validate the credentials, PingFederate moves
       sequentially through the list until credential validation succeeds. If
       none of the Password Credential Validator instances can authenticate the
       user's credentials, and the challenge retries maximum has been reached,
       the process fails.
       Note:
       
       If usernames overlap across multiple Password Credential Validator
       instances, this failover setup could lock out those accounts in their
       source locations.
    
    2. Enter values for the adapter configuration, as described below.
       
       Field Description Challenge Retries
       
       (Required)
       
       The account lockout threshold for this adapter instance. When the number
       of login failures reaches this threshold, the user is locked out for a
       period time.
       
       The default value is 3.
       
       Session State Determines whether this HTML Form Adapter instance
       maintains adapter sessions and shares adapter sessions with other HTML
       Form Adapter instances. Globally Adapter sessions from this HTML Form
       Adapter instance are shared among other HTML Form Adapter instances that
       use the same Session State field value Globally. Per Adapter HTML Form
       Adapter maintains adapter sessions on a per-instance basis. Sessions from
       this HTML Form Adapter instance are not shared with other HTML Form
       Adapter instances. None This HTML Form Adapter does not maintain adapter
       sessions for this HTML Form Adapter instance.
       Note:
       
       To enable PingFederate authentication sessions globally or individually
       for this adapter instance, select None. For more information about
       PingFederate authentication sessions, see Sessions and Configuring
       authentication sessions.
       
       The default selection is None.
       
       Session Timeout The number of idle minutes before an HTML Form Adapter
       session times out based on inactivity. If left blank, the lifetime falls
       back on the Session Max Timeout field value. Ignored if None is selected
       for the Session State field.
       
       Applicable only when the Session State field is set to Globally or Per
       Adapter.
       
       Tip:
       
       When you enable PingFederate authentication sessions globally or
       individually for this adapter instance, you can configure the Idle
       Timeout setting for the same purpose. For more information, see
       Configuring authentication sessions.
       
       The default value is 60 minutes.
       
       Session Max Timeout The maximum lifetime, in minutes, before an HTML Form
       Adapter session expires regardless of whether the Session Timeout field
       value has been reached. Ignored if None is selected for the Session State
       field.
       
       Applicable only when the Session State field is set to Globally or Per
       Adapter.
       
       Tip:
       
       When you enable PingFederate authentication sessions globally or
       individually for this adapter instance, you can configure the Max Timeout
       setting for the same purpose. For more information, see Configuring
       authentication sessions.
       
       The default value is 480 minutes, which translates to 8 hours.
       
       Note:
       
       This setting sets a maximum lifetime, subject to inactivity timeout.
       Consider the following examples:
       
        * A user initiated an single sign-on (SSO) request at 9 a.m. and has not
          made another SSO request since then. At 10 a.m., the HTML Form Adapter
          session times out based on inactivity based on the default Session
          Timeout field value of 60 minutes.
        * Another user initiated an SSO request at 9 a.m. and has been making
          SSO requests every hour at least once. This HTML Form Adapter session
          does not time out because the user has been actively making SSO
          requests; however, the HTML Form Adapter session does expire at 5 p.m.
          based on the default Session Max Timeout default value of 8 hours.
        * If you leave both the Session Max Timeout and Session Timeout fields
          blank, HTML Form Adapter sessions do not expire until PingFederate
          restarts or the HTML Form Adapter sessions are cleaned up by another
          means.
        * If you leave the Session Max Timeout field blank but set a value for
          the Session Timeout field, HTML Form Adapter sessions do not expire
          until they time out based on inactivity.
       
       Tip:
       
       Session information is stored in the PF cookie. By default, the PF cookie
       is a session cookie and is typically removed when the user closes the
       browser.
       
       You can optionally extend the lifetime of the PF cookie by editing the
       session-cookie-config.xml file, located in the
       <pf_install>/pingfederate/server/default/data/config-store directory. For
       more information, see Extending the lifetime of the PingFederate cookie .
       
       Alternatively, you can enable PingFederate authentication sessions, store
       the authentication sessions externally, and leverage them as users
       request protected resources after restarting their browsers. For more
       information, see Sessions.
       
       Allow Password Changes Enables or disables the ability for users to
       change their network password using this adapter instance as they
       initiate SSO requests and are prompted to enter their username and
       password.
       
       As needed, you can also provide your users the Change Password endpoint
       shown on the Summary window. The Change Password endpoint allows users to
       change their password without submitting SSO requests. For more
       information, see the /ext/pwdchange/Identify section.
       
       Note:
       
       The LDAP Username PCV and the PingOne for Enterprise Directory PCV are
       currently the only PCVs bundled with PingFederate that support the change
       password feature.
       
       Important:
       
       When connecting to an Active Directory (AD) server, you must secure the
       datastore connection using LDAPS. AD requires this level of security to
       allow password changes.
       
       This check box is not selected by default.
       
       Password Management System The URL for redirecting users to a
       company-specific password management system to change their password.
       
       This field has no default value.
       
       Enable 'Remember My Username' Allows users to store their username as a
       cookie when authenticating with this adapter. Once stored, the username
       in the login form is pre-populated for subsequent transactions. Select
       the check box to enable the cookie functionality.
       Note:
       
       This option is hidden when users authenticate through a Composite Adapter
       instance that chains this adapter behind another authentication source
       with an Input User ID Mapping configuration and the Allow Username Edits
       check box is not selected.
       
       This check box is not selected by default.
       
       Enable 'This is My Device' Allows users to indicate whether their device
       is shared or private by selecting the This is my device check box on the
       login form. In this mode, PingFederate authentication sessions, if
       enabled, are not stored unless the user indicates the device is private.
       For more information about PingFederate authentication session, see
       Sessions.
       
       This check box is not selected by default.
       
       Note:
       
       Adapter session tracking, if enabled by setting the Session State field
       to Globally or Per Adapter, is not affected by this configuration and the
       user's selection.
       
       Change Password Policy Contract Select an authentication policy contract
       to enforce strong authentication requirements, such as multi-factor
       authentication through PingID, before letting their users change their
       passwords. This is similar to using a Password Reset Policy Contract.
       
       The field is empty by default.
       
       Change Password Notification When selected, a notification is generated
       for the user who has successfully changed the password through the HTML
       Form Adapter. The destination is the user's email address, specifically
       the mail attribute value returned by the LDAP Username PCV instance.
       Note:
       
       This option requires the selection of the Allow Password Changes check
       box and a notification publisher instance. If you have not yet configured
       the desired notification publisher instance, click Manage Notification
       Publishers.
       
       In addition, the LDAP Username PCV is the only PCV bundled with
       PingFederate that supports this notification feature.
       
       This check box is not selected by default.
       
       Show Password Expiring Warning When selected, the HTML Form Adapter
       displays a warning to an authenticated user if the password associated
       with the account is about to expire soon. The message provides the number
       of days until the expiry of the current password and the options to
       change the password immediately or to snooze the message. Both the
       threshold and the snooze interval are configurable in the Advanced fields
       section; the default values are 7 days and 24 hours, respectively.
       Note:
       
       This option requires the selection of the Allow Password Changes check
       box. (Both check boxes are not selected by default.) In addition, the
       LDAP Username PCV is currently the only PCV bundled with PingFederate
       that supports the password expiring warning feature.
       
       This check box is not selected by default.
       
       Password Reset Type Select one of the following methods for self-service
       password reset (SSPR).
       Authentication Policy Based on the policy contract selected from the
       Password Reset Policy Contract list, PingFederate finds the applicable
       authentication policy to handle self-service password reset requests. If
       the users are able to fulfill the authentication requirements as
       specified by the policy, PingFederate allows the users to reset their
       password. Email One-Time Link Users receive a notification with a URL to
       reset their password. If you have not yet configured the desired
       notification publisher instance, click Manage Notification Publishers.
       Email One-Time Password Users receive a notification with a one-time
       password (OTP) to reset their password. If you have not yet configured
       the desired notification publisher instance, click Manage Notification
       Publishers. PingID Users are prompted to follow the PingID authentication
       flow to reset their password. Ensure the PingID Username Attribute field
       in the selected LDAP Username PCV instance is configured; otherwise,
       users will not be able to reset their password. You must also download
       the settings file from the PingOne admin portal and upload the file to
       the PingID Properties advanced field.
       Important:
       
       Do not use a method that is already part of a multi-factor authentication
       policy that includes a password challenge, as that would indirectly
       reduce that authentication policy to a single factor. For example, if
       users normally authenticate with a password challenge and then PingID,
       the self-service password reset method should not be PingID. Instead,
       choose the Authentication Policy option, select a policy contract from
       the Password Reset Policy Contract list, and configure an authentication
       policy for self-service password reset.
       
       Text Message Users receive a text message notification with an OTP to
       reset their password. Ensure the SMS Attribute field in the selected LDAP
       Username PCV instance is configured; otherwise, users will not receive
       text message notification for password reset. If you have not yet
       configured SMS provider settings in PingFederate, click Manage SMS
       Provider Settings. None Users cannot reset password through this HTML
       Form Adapter instance.
       
       The default selection is None.
       
       When you make a selection other than None, as users initiate SSO requests
       and are prompted to enter their username and password, users have the
       option to reset their password.
       
       As needed, you can also provide your users the Account Recovery endpoint
       shown on the Summary tab. The Account Recovery endpoint allows users to
       change their password without submitting SSO requests. For more
       information, see the /ext/pwdreset/Identify section in IdP endpoints.
       
       Note:
       
       To enable password reset, you must also select the Allow Password Changes
       check box.
       
       In addition, the LDAP Username PCV is the only PCV bundled with
       PingFederate that supports SSPR.
       
       If a notification publisher instance is configured, PingFederate
       generates a notification for the user who has successfully reset the
       password through the HTML Form Adapter. The destination is the user's
       email address, specifically the value of the attribute defined by the
       Mail Attribute setting in the LDAP Username PCV instance.
       
       Important:
       
       When connecting to PingDirectory, Oracle Unified Directory, or Oracle
       Directory Server, configure proxied authorization for the service account
       on the directory server. For more information, see Proxied authorization.
       
       Password Reset Policy Contract If you use an authentication policy to
       handle SSPR requests, you must select a policy contract here.
       
       This policy contract doesn't require any extended attributes because
       PingFederate uses this policy only to find the applicable authentication
       policies for password resets.
       
       Important:
       
       You must use a policy contract dedicated only to password reset. You
       can't use this policy contract for SSO anywhere else. To define a policy
       contract solely for password reset, click Manage Policy Contracts.
       
       An authentication policy that uses this contract allows users to reset
       their password. The policy should use strong authentication methods to
       securely identify the user. To ensure that the user authenticating in the
       password reset flow is associated with the target account, you must map
       the incoming user ID into its authentication sources.
       
       Revoke sessions after password change or reset Revokes a user's
       authentication sessions in other browsers after a password change or
       reset is completed by this adapter. This option relies on selecting a
       unique user key attribute for this adapter (see Setting pseudonym and
       masking options).
       
       To enable this option, you must also enable the Allow Password Changes
       option, or set the Password Reset Type option to something other than
       None.
       
       Note:
       
       This revocation capability is not supported if the IdP session registry
       is configured with the Directed Clustering - Subclusters state management
       architecture. For more information, see IdP Session Registry Service and
       Defining subclusters.
       
       Account Unlock Enables or disables the ability for users to unlock their
       account using this adapter instance as they initiate SSO requests and are
       prompted to enter their username and password.
       
       As needed, you can also provide your users the Account Recovery endpoint
       shown on the Summary tab. The Account Recovery endpoint allows users to
       unlock their account without submitting SSO requests. For more
       information, see the /ext/pwdreset/Identify section in IdP endpoints.
       
       Note:
       
       You must also select a Password Reset Type value other than None and the
       Allow Password Changes check box as well because the initiating user must
       prove ownership of the account through the password reset flow.
       
       Unlike self-service password reset self-service password reset (SSPR),
       when users succeed in proving account ownership, they are allowed to
       retain their current password or to reset their password as needed.
       Furthermore, self-service account unlock is only compatible with
       PingDirectory and Microsoft AD. If the underlying datastore is connected
       to an Oracle Unified Directory or Oracle Directory Server, users can only
       unlock their account by changing their current password through the
       password reset flow.
       
       In addition, the LDAP Username PCV is the only PCV bundled with
       PingFederate that supports self-service account unlock.
       
       This check box is not selected by default.
       
       Local Identity Profile Select a local identity profile to offer users the
       options to authenticate through third-party identity providers,
       self-register as part of the sign-on experience, and manage their
       accounts through a self-service profile management page.
       
       There is no default selection.
       
       Notification Publisher If this adapter instance is configured with
       self-service account management capabilities, select a notification
       publisher instance from the list.
       
       Based on selected notification publisher instance configuration,
       PingFederate generates the required notification messages. If you have
       not yet configured the desired notification publisher instance, click
       Manage Notification Publishers.
       
       Enable Username Recovery Enables or disables the ability for users to
       recover their username when using this adapter instance as they initiate
       SSO requests and are prompted to enter their username and password.
       
       As needed, you can also provide your users the Username Recovery endpoint
       shown on the Summary tab. The Username Recovery endpoint allows users to
       recover their username without submitting SSO requests. For more
       information, see the /ext/idrecovery/Recover section in IdP endpoints.
       
       Note:
       
       This capability requires a notification publisher instance. If you have
       not yet configured the desired notification publisher instance, click
       Manage Notification Publishers. In addition, the LDAP Username PCV is the
       only PCV bundled with PingFederate that supports self-service username
       recovery.
       
       For each username recovery request, if PingFederate can locate the user
       record using the email address provided by the user and other
       requirements are met, PingFederate generates a notification containing
       the recovered username. The destination is the email address provided by
       the user.
       
       This check box is not selected by default.
    
    3. Optional: Click Show Advanced Fields to review or modify default values.
    4. If you have chosen Text Message as the password reset type, click Manage
       SMS Provider Settings at the bottom of the page to configure the SMS
       provider through which PingFederate can send text message notifications
       to the users.
 5. On the Extended Contract tab, configure additional attributes for this
    adapter instance as needed. The HTML Form Adapter contract includes two core
    attributes: username and policy.action. At runtime, PingFederate fulfills
    the policy.action core attribute as described in the following table.
    
    Local identity profile Runtime fulfillment A selection is made. If the local
    identity profile is configured with one or more authentication sources, and
    if the user chooses to register or authenticate with one of them,
    PingFederate sets the value to that authentication source. This design
    allows you to create rules in your authentication policies and form
    different policy paths for each authentication source. For more information,
    see Configuring third-party identity providers.
    
    Whether or not the local identity profile is configured with any
    authentication sources, if the user chooses to register directly by clicking
    on the Register now link, PingFederate sets the value to
    identity.registration. This fulfillment allows you to create rules to
    differentiate authentication requirements from the registration flow. For
    more information, see Creating advanced registration mapping.
    
    No selection is made. The policy.action attribute is not fulfilled.

 6. On the Adapter Attributes tab, do the following:
    1. Optional: From the Unique User Key Attribute list, select an attribute to
       uniquely identify users signing on with this adapter.
       
       The attribute's value is used to identify user sessions across all
       adapters. None is selected by default.
       
       Note:
       
       If you choose a custom user key attribute, PingFederate uses the value of
       the attribute after the Adapter Contract Mapping (if any) has been
       evaluated. If you choose a custom user key attribute that is based on the
       username, configure the adapter's password credential validators to trim
       spaces.
       
       Important:
       
       For the HTML Form Adapter, If you enabled the Revoke Sessions after
       Password Change or Reset option on the IdP Adapter tab, you cannot select
       None as the unique user key attribute. Doing so results in an error
       message.
    
    2. Select the check box under Pseudonym for the user identifier of the
       adapter and optionally for the other attributes, if available.
       
       This selection is used if any of your service provider (SP) partners use
       pseudonyms for account linking.
       
       Note:
       
       A selection is required whether or not you use pseudonyms for account
       linking. This allows account linking to be used later without having to
       delete and reconfigure the adapter. Ensure that you choose at least one
       attribute that is unique for each user, such as a user's email, to
       prevent assigning the same pseudonym to multiple users.
    
    3. Select the check box under Mask Log Values for any attributes whose
       values you want PingFederate to mask in its logs at runtime.
       Note:
       
       Masking is not applied to the unique user key attribute in the logs even
       though the attribute used for the key is marked as Mask Log Values.
    
    4. Select the Mask all OGNL-expression generated log values check box if
       OGNL expressions might be used to map derived values into outgoing
       assertions and you want those values masked.
 7. Optional: On the Adapter Contract Mapping tab, configure the adapter
    contract for this instance with the following optional workflows:
     * Configure one or more data sources for datastore queries.
     * Fulfill adapter contract with values from the adapter, the default,
       datastore queries, if configured, context of the request, text, or
       expressions, if enabled.
     * Set up the Token Authorization framework to validate one or more criteria
       prior to the issuance of the adapter contract.

 8. On the Summary tab, review your configuration and modify as needed. Click
    Save.
 9. When finished in the IdP Adapters window, click Save to confirm the adapter
    instance configuration.
    
    If you want to exit without saving the configuration, click Cancel.

 * Feedback
   
   
 * PDF
   * Save all as PDF
   * Save page as PDF
   * Save section as PDF
 * More
   You are not authorized to view this content
   You are not authorized to view this content
 * Previous
 * Next


RELATED TOPICS

 * Customizable user-facing pages
   
   PingFederate supplies HTML templates, located in the
   <pf_install>/pingfederate/server/default/conf/template directory, to provide
   information to the end-users or to request user input when processing their
   requests.

 * Configuring the LDAP Username Password Credential Validator
   
   The LDAP Username Password Credential Validator (PCV) verifies credentials
   using an organization's LDAP datastore.

 * Configuring authentication sessions
   
   Use the Sessions window to configure and override the default timeout limits
   for authentication sessions.

 * Managing notification publisher instances
   
   Use PingFederate's functionality to create, edit, review, delete, or set as a
   default any notification publisher instance.

 * Managing SMS provider settings
   
   To connect PingFederate to Twilio as an SMS provider through which
   PingFederate can send text message notifications for self-service password
   reset requests, enter the required information based on your Twilio account.

 * HTML Form Adapter advanced fields
   
   When configuring an HTML Form Adapter, you can use the advanced fields at the
   bottom of the IdP Adapter tab in the Create Adapter Instance window.

 * Configuring self-service account recovery
   
   PingFederate offers self-service password reset for users to recover their
   accounts if they forgot their passwords.

 * Configuring self-service user name recovery
   
   Use PingFederate's self-service user name recovery feature to enable users to
   recover their lost user names through their email addresses.

 * Configuring the HTML Form Adapter for customer identities
   
   After defining a local identity profile, associate it with an instance of the
   HTML Form Adapter for PingFederate to leverage the HTML Form Adapter to
   present users the options to authenticate through third-party identity
   providers, self-register as part of the sign-on experience, and manage their
   accounts through a self-service profile management page.

 * Configuring third-party identity providers
   
   In this use case, you need to support consumer registration where users
   complete a self-service registration process to create their accounts and
   then access resources protected by multiple service providers. For a
   registration to complete successfully, a user must provide an email address,
   a first name, a last name, an optional mobile phone number, and a password.
   The email address is the user identifier. All attributes are sent to the
   service providers as per the partner agreements.

 * Account lockout protection
   
   Account lockout protection provides a level of security to the user and can
   operate in multiple ways based on the PingFederate environment.

COMMUNITY DISCUSSION GROUPS

Ask questions, get answers and join discussions in our self-service support
forums.

PRODUCT TRAINING AND CERTIFICATION

Get trained across all Ping products and earn industry recognized
certifications.



 * Solutions
   
   * Engage Your Customers
   * Secure Your Workforce
   * Passwordless Authentication
   * Implement Zero Trust
   * Migrate to the Cloud
   * Modernize Legacy IAM
   * Mitigate Fraud Risk
   * Innovate Digital Experiences
   * Regulatory Compliance
   * Mergers and Acquisitions

 * Products
   
   * PingOne Cloud Platform
   * PingOne for Customers
   * PingOne for Workforce
   * PingOne for Government
   * PingOne for Individuals
   * Orchestration
   * Fraud Detection
   * Risk Management
   * Identity Verification
   * Personal Identity
   * Directory
   * Authentication
   * Single Sign-On (SSO)
   * Multi-Factor Authentication (MFA)
   * Web/API Access
   * Dynamic Authorization
   * API Intelligence

 * Resources
   
   * Blog
   * “Hello, User” Podcast
   * Integration Directory
   * Software & Mobile App Downloads
   * Explore the Content Library
   * 
   * 
   * Developers
   * Developer Community Forum
   * Developer Tools
   * DevOps
   * Cloud Containerization
   * Ping Identity Github
   * Ping Identity Docker Hub

 * Support
   
   * Support Portal
   * Professional Services
   * Contact Us
   * Training & Certification for Current Customers
   * Community Q&A Forum
   * Create a Case
   * Documentation
   * 
   * 
   * Partners
   * Partners Main
   * Partner Portal Login
   * Find a Partner
   * Become a Partner

 * Company
   
   * About Us
   * Corporate Social Responsibility
   * Leadership Team
   * Careers
   * Investors
   * Ping Newsroom
   * Upcoming Events
   * 
   * Contact Sales
   * Try Ping


© Copyright 2022 Ping Identity. All rights reserved.
 * Legal
 * Privacy
 * Security
 * SMS Campaigns

 * 
 * 
 * 
 * 
 * 
 * 
 * 


RATE THIS TOPIC

Did you find this helpful?

YesNo
Write your review
Your email
SEND FEEDBACKCANCEL


RATE THIS TOPIC

Did you find this helpful?

YesNo
Write your review
Your email
SEND FEEDBACKCANCEL