Reference ID IdP Adapter settings reference

The following are setting descriptions for the Reference ID IdP Adapter.

Standard fields
Field Name	Description
Authentication Endpoint	The application endpoint URL for user authentication requests, user authorization consent requests, or both.
User Name	The ID that the application uses to authenticate to the PingFederate server. This field is required to enable Basic HTTP authentication for the application.
Pass Phrase	The password that the application uses to authenticate to the PingFederate server. This field is required to enable Basic HTTP authentication for the application.
Allowed Subject DN	If your application uses certificate authentication, set this to an acceptable subject distinguished name (DN) of the client certificate. You can use the asterisk (`*`) wildcard character to match variances in the value for components that are allowed to be variable, like the common name (CN). A maximum of one wildcard character can be used per DN. Separate multiple subject DNs with a pipe (`\|`). If this field is blank, any subject DN is allowed.
Allowed Issuer DN	If your application uses certificate authentication, set this to an acceptable issuer DN of the incoming client certificate. You can use the asterisk (`*`) wildcard character to match variances in the value for components that are allowed to be variable, like the common name (CN). A maximum of one wildcard character can be used per DN. Separate multiple subject DNs with a pipe (`\|`). If this field is blank, any issuer DN is allowed.
Logout Service Endpoint	The URL of your application’s logout service endpoint, such as https://portal.example.com/logout. When Logout Mode is set to Front Channel, PingFederate uses this URL as part of the single logout (SLO) flow. For details, see the description below.
Logout Mode	Determines how the adapter handles application logout. Front Channel During the SLO flow, PingFederate redirects the browser to your application’s Logout Service Endpoint URL and provides the reference ID and resume path values. Your application uses the reference ID or a session cookie to identify and end the user session, then redirects the browser back to the PingFederate resume path. PingFederate completes the SLO process. Back Channel The adapter sends a direct HTTP request to the IdP application. To include an attribute in a dynamic URL, use the `${attribute-name}` variable. None Select this option if your application does not maintain user sessions. The default selection is None.

Advanced fields
Field Name	Description
Prefix Referenced Attributes	When selected, the adapter adds a prefix to attribute keys to identify their source. Attributes from previous authentication sources (also known as chained attributes) are prefixed with `chainedattr.`. Signed request object attributes are prefixed with `signedreqattr.`. HTTP parameters are prefixed with `httpparam.`. Applicable only if the Ignore Untracked HTTP Parameters check box is not selected. Tracked HTTP parameters are prefixed with `trackedparam.`. This feature requires PingFederate Server 9.2 or later. This check box is selected by default.
Ignore Untracked HTTP Parameters	When selected, the adapter ignores parameters from the initial sign-on HTTP request that aren’t included on the Tracked HTTP Parameters tab of the Authentication Policies window. This check box is selected by default.
Send Request Parameters	Determines which parameters from the original sign-on HTTP request the adapter passes to the identity provider (IdP) application. Applies in query parameter mode. The default selection is None.
Transport Mode	This field defines the method that the adapter uses for front-channel communication with the application. Form POST The adapter sends data using a POST request. Data is contained within the body of the request. Query Parameter The adapter sends data as part of the URL string. Some data, such as the reference value, is exposed with this method. The default selection is Form POST.
Reference Duration	The amount of time (in seconds) that the PingFederate server keeps the referenced attributes in memory. Increase this value to accommodate network delays. Learn more in Development considerations. The default value is `3`.
Reference Length	The number of bytes used for the pseudo-randomly-generated reference ID. Increase this value to make the reference ID more difficult to replicate. Learn more in Development considerations. The default value is `30`.
Require SSL/TLS	This checkbox controls whether adapter requires a secure connection for calls made to the Reference ID IdP Adapter pickup and dropoff endpoints. This check box is selected by default.
Outgoing Attribute Format	The format that the adapter uses to encode attribute values in HTTP responses it sends to the application. The application must be able to parse this format. Learn more in Attribute pickup process. The default selection is JSON.
Incoming Attribute Format	The format that the application uses to encode attribute values in HTTP requests it sends to the adapter. Learn more in Attribute drop-off process. The default selection is JSON.
Skip Host Name Validation	When a connection is established with the application, this setting determines whether PingFederate matches the target host name against the names stored inside the server certificate presented by the application. This can be useful during development or testing. Applies when Logout Mode is set to Back Channel. This check box is cleared by default.
Relax Pass Phrase Requirements	When selected, the adapter does not enforce requirements for the application credentials entered in the Pass Phrase field. When cleared, the adapter enforces strong password requirements for better security. Use this for development, testing, or upgrading from previous versions of the adapter that did not enforce password requirements. This check box is cleared by default.