--- title: Reference ID IdP Adapter settings reference description: Field descriptions for the Reference ID IdP Adapter configuration page. component: agentless page_id: agentless:custom_application_setup:pf_agentless_ik_reference_id_idp_adapter_settings_reference canonical_url: https://docs.pingidentity.com/integrations/agentless/custom_application_setup/pf_agentless_ik_reference_id_idp_adapter_settings_reference.html revdate: April 28, 2025 --- # Reference ID IdP Adapter settings reference Field descriptions for the Reference ID IdP Adapter configuration page. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When using a wildcard in either the **Allowed Subject DN** or **Allowed Issuer DN** field:- In Agentless Integration Kit 2.3 and later, PingFederate enforces the match individually at that component level. For example: * `CN=*, L=Denver, ST=CO, C=US` would match `CN=server1.domain.com, L=Denver, ST=CO, C=US` and `CN=server2.domain.com, L=Denver, ST=CO, C=US`. * `CN=*, L=D*, ST=CO, C=US` would match `CN=server1.domain.com, L=Denver, ST=CO, C=US` but not `CN=server1.domain.com, O=Ping Identity, L=Denver, ST=CO, C=US`. - In Agentless Integration Kit 2.2.1 and earlier, PingFederate allows relaxed matches but supports the use of only one wildcard. For example: * `CN=*, L=Denver, ST=CO, C=US` would match `CN=server1.domain.com, L=Denver, ST=CO, C=US` and also `CN=server1.domain.com, O=Ping Identity, L=Denver, ST=CO, C=US`.If you want to switch back to the previous wildcard matching behavior after upgrading to Agentless Integration Kit 2.3 or later, use the PingFederate admin API to update the hidden configuration field **Relax DN Matching** to a value of `true`. | > **Collapse: Standard fields** > > | Field Name | Description | > | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | **Authentication Endpoint** | The application endpoint URL for user authentication requests, user authorization consent requests, or both. | > | **User Name** | The ID that the application uses to authenticate to the PingFederate server.This field is required to enable Basic HTTP authentication for the application. | > | **Pass Phrase** | The password that the application uses to authenticate to the PingFederate server.This field is required to enable Basic HTTP authentication for the application. | > | **Allowed Subject DN** | If your application uses certificate authentication, set this to an acceptable subject distinguished name (DN) of the client certificate.You can use the asterisk (`*`) wildcard character to match variances in the value for components that are allowed to be variable, like the common name (CN) or organization unit (OU).A maximum of one wildcard character can be used per DN component. Separate multiple subject DNs with a pipe (`\|`).If this field is blank, any subject DN is allowed. | > | **Allowed Issuer DN** | If your application uses certificate authentication, set this to an acceptable issuer DN of the incoming client certificate.You can use the asterisk (`*`) wildcard character to match variances in the value for components that are allowed to be variable, like the common name (CN) or organization unit (OU).A maximum of one wildcard character can be used per DN component. Separate multiple subject DNs with a pipe (`\|`).If this field is blank, any issuer DN is allowed. | > | **Access Token Manager** | To enable bearer token authentication for applications, select an [Access token management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_access_token_management.html) instance to issue and validate access tokens. | > | **Allowed Bearer Access Token Client IDs** | A list of client IDs allowed in the bearer access token. Separate values with the pipe character (`\|`).If this field is blank, all client IDs are accepted. | > | **Required Bearer Access Token Scopes** | A list of required scopes that must be included in the bearer access token. Separate values with the pipe character (`\|`).If this field is blank, all scopes are accepted. | > | **Logout Service Endpoint** | The URL of your application's logout service endpoint, such as https\://portal.example.com/logout.When **Logout Mode** is set to **Front Channel**, PingFederate uses this URL as part of the single logout (SLO) flow. For details, see the description below. | > | **Logout Mode** | Determines how the adapter handles application logout.- **Front Channel** > > 1. During the SLO flow, PingFederate redirects the browser to your application's **Logout Service Endpoint** URL and provides the reference ID and resume path values. > > 2. Your application uses the reference ID or a session cookie to identify and end the user session, then redirects the browser back to the PingFederate resume path. > > 3. PingFederate completes the SLO process. > > - **Back Channel** > > The adapter sends a direct HTTP request to the IdP application. To include an attribute in a dynamic URL, use the `${attribute-name}` variable. > > - **None** > > Select this option if your application does not maintain user sessions.The default selection is **None**. | > **Collapse: Advanced fields** > > | Field Name | Description | > | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | **Prefix Referenced Attributes** | When selected, the adapter adds a prefix to attribute keys to identify their source.- Attributes from previous authentication sources (also known as chained attributes) are prefixed with `chainedattr.`. > > - Signed request object attributes are prefixed with `signedreqattr.`. > > - HTTP parameters are prefixed with `httpparam.`. Applicable only if the **Ignore Untracked HTTP Parameters** checkbox is not selected. > > - Tracked HTTP parameters are prefixed with `trackedparam.`. This feature requires PingFederate Server 9.2 or later.This check box is selected by default. | > | **Preserve JSON** | When selected, the adapter automatically preserves the incoming chained attribute value, signed request attributes, and tracked HTTP parameters as a JSON data type if the adapter can detect a valid JSON format. The adapter always passes the tracked HTTP parameter values as an array.This checkbox is cleared by default. | > | **Ignore Untracked HTTP Parameters** | When selected, the adapter ignores parameters from the initial sign-on HTTP request that aren't included on the **Tracked HTTP Parameters** tab of the **Authentication Policies** window\.This check box is selected by default. | > | **Send Request Parameters** | Determines which parameters from the original sign-on HTTP request the adapter passes to the identity provider (IdP) application. Applies in query parameter mode.The default selection is **None**. | > | **Include Null Attributes** | When selected, the pickup API endpoint response includes any existing attributes with null values in the payload it drops off. Additionally, the Reference ID IdP Adapter includes null claims in the signed request object.This checkbox is cleared by default. | > | **Transport Mode** | This field defines the method that the adapter uses for front-channel communication with the application.- **Form POST** > > The adapter sends data using a POST request. Data is contained within the body of the request. > > - **Query Parameter** > > The adapter sends data as part of the URL string. Some data, such as the reference value, is exposed with this method.The default selection is **Form POST**. | > | **Reference Duration** | The amount of time (in seconds) that the PingFederate server keeps the referenced attributes in memory. Increase this value to accommodate network delays. Learn more in [Development considerations](pf_agentless_ik_development_considerations.html).The default value is `3`. | > | **Reference Length** | The number of bytes used for the pseudo-randomly-generated reference ID.Increase this value to make the reference ID more difficult to replicate. Learn more in [Development considerations](pf_agentless_ik_development_considerations.html).The default value is `30`. | > | **Require SSL/TLS** | This checkbox controls whether adapter requires a secure connection for calls made to the Reference ID IdP Adapter pickup and dropoff endpoints.This check box is selected by default. | > | **Outgoing Attribute Format** | The format that the adapter uses to encode attribute values in HTTP responses it sends to the application.The application must be able to parse this format. Learn more in [Attribute pickup process](pf_agentless_ik_attribute_pickup_process.html).The default selection is **JSON**. | > | **Incoming Attribute Format** | The format that the application uses to encode attribute values in HTTP requests it sends to the adapter. Learn more in [Attribute drop-off process](pf_agentless_ik_attribute_drop_off_process.html).The default selection is **JSON**. | > | **Skip Host Name Validation** | When a connection is established with the application, this setting determines whether PingFederate matches the target host name against the names stored inside the server certificate presented by the application. This can be useful during development or testing.Applies when **Logout Mode** is set to **Back Channel**.This check box is cleared by default. | > | **Relax Pass Phrase Requirements** | When selected, the adapter does not enforce requirements for the application credentials entered in the **Pass Phrase** field.When cleared, the adapter enforces strong password requirements for better security.Use this for development, testing, or upgrading from previous versions of the adapter that did not enforce password requirements.This check box is cleared by default. |