Configure the Kerberos Adapter

  1. If you have not already done so, log on to the PingFederate® administrative console.

  2. Go to the IdP ConfigurationAdapters screen.

  3. On the Manage IdP Adapter Instances screen, click Create New Instance.

  4. On the Type screen, enter an Instance Name and Instance Id, select Kerberos Adapter from the list, and then click Next.

    The Instance Id may not contain spaces or underscores.

  5. Select a Parent Instance from the list.

    If you are creating an instance that is similar to an existing instance, you might consider making it a child instance by specifying a parent. A child instance inherits the configuration of its parent unless overridden. You can specify overrides during the rest of the setup.

  6. Click Next.

    NoteIf this is a child instance, select the override check box related to the settings you want to modify.
  7. On the IdP Adapter screen, select the Domain/Realm Name for your Windows domain. If the domain or realm you want does not appear, click Manage Active Directory Domains/Kerberos Realms to add it (see Configure Active Directory domains or Kerberos realms).

  8. Enter a URL for redirecting the user if there are errors. This URL has an errorMessage query parameter appended to it, which contains a brief description of the error that occurred. The error page can optionally display this message on the screen to provide guidance on remedying the problem.

    NoteIn the case of an error, if you define an Error URL Redirect and the adapter instance is included in an instance of the Composite Adapter, the user is redirected to the Error URL rather than continuing on to the next adapter in the chain. Leave this field blank to have the adapter continue on to the next adapter.

    When employing the errorMessage query parameter in a custom error page, adhere to Web-application security best practices to guard against common content injection vulnerabilities. If no URL is specified, the appropriate default error landing page appears.

  9. Click Show Advanced Fields and make any desired changes for the following settings.

    Error Template


    When selected, displays a template to provide standardized information to the end user when authentication fails. The Error URL Redirect value is ignored.

    The template (kerberos.error.template.html in the <pf_install>/pingfederate/server/default/conf/template directory) uses the Velocity template engine and can be modified in a text editor to suit your particular branding and informational needs. For example, you can give the user the option to try again should authentication fail.

    Authentication Context Value


    This may be any value agreed to with your SP partner to indicate the type of credentials used to authenticate. Standard URIs are defined in the SAML specifications (see the OASIS documents oasis-sstc-saml-core-1.1.pdf and saml-authn-context-2.0-os.pdf).

    If left blank, PingFederate sets the authentication context as follows:

    • urn:oasis:names:tc:SAML:1.0:am:unspecified for SAML 1.x
    • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified for SAML 2.0

    As needed, the authentication context can be overridden by either an instance of the Requested AuthN Context Authentication Selector or the SAML_AUTHN_CTX attribute in the SAML attribute contract. (The latter takes precedence.)

  10. Click Next.

  11. On the Adapter Attributes screen, select Username (and optionally Domain/Realm Name) to be used in constructing a unique identifier (Pseudonym) for account linking at the SP.

    NoteA selection is required regardless of whether you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user (for example, email) to prevent the same pseudonym from being assigned to multiple users.

    You can also choose to mask the values of any or all attributes that PingFederate logs from the adapter at runtime.

    If OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked, select the related check box under the Attribute list.
  12. Click Next.

  13. On the Summary screen, click Done.

  14. On the Manage IdP Adapter Instances screen, click Save.

    ImportantYou must click Save if you want to retain the adapter configuration.

Tags Capability > Single Sign On; Hosting Environment > On-Premises; Product > PingFederate > PingFederate 8.4; Product > PingFederate; Task Type > Configuration