Configuring a password credential validator instance
Steps
-
Sign on to the PingFederate administrative console and go to Server Configuration > Password Credential Validators > Create New Instance.
-
On the Type tab, populate the Instance Name and Instance ID fields, choose Azure AD Password Credential Validator 2.0 in the Type field, and click Next.
-
On the Instance Configuration tab, populate the Tenant ID, Client ID and Client Secret fields using the information specific to your Azure AD application, and click Next.
Learn more about obtaining the Client ID and Client Secret in Register a Microsoft Entra app and create a service principal.
Configuration fields Field Type Description Tenant ID
String. Required.
The tenant ID generated by Microsoft when you register an application in Azure.
Client ID
String. Required.
The client ID generated by Microsoft when you register an application in Azure.
Client Secret
String. Required.
The client secret generated by Microsoft when you register an application in Azure.
Disable User Group Retrieval
Checkbox
Disable the PCV from retrieving the
memberOf
attribute for users.Microsoft Login Base URL
String. Required.
The base URL used by Microsoft for any authentication calls.
The default value is
https://login.microsoftonline.com/
.Microsoft Token Endpoint
String. Required.
The endpoint used by Microsoft to retrieve an access token.
The default value is
/oauth2v2.0/token
.User Attributes Endpoint
String. Required.
The endpoint used to retrieve user attributes.
The default value is
https://graph.microsoft.com/v1.0/me
.Group Membership Endpoint
String. Required.
The endpoint used to retrieve group membership info.
The default value is
https://graph.microsoft.com/v1.0/me/memberOf
.API Request Timeout
The amount of time in milliseconds that PingFederate waits for Microsoft APIs to respond to requests. A value of
0
disables the timeout.The default value is
5000
.Proxy Settings
-
No Proxy
-
System Defaults
-
Custom
Defines proxy settings for outbound HTTP requests.
The default value is System Defaults.
Custom Proxy Host
String. Optional.
The proxy server hostname to use when Proxy Settings is set to Custom.
Custom Proxy Port
String. Optional.
The proxy server port to use when Proxy Settings is set to Custom.
If the user’s group memberships aren’t required, select the option to Disable User Group Retrieval.
-
-
The attribute contract can be extended with any additional Azure AD attributes, including Azure AD custom properties. Learn more in Known issues and limitations.
If you’re upgrading from Azure AD Password Credential Validator 1.2 or earlier, and used the
objectID
attribute in your extended contract, change the attribute toID
.The core contract contains the following attributes:
-
displayName
-
givenName
-
mail
-
memberOf
-
surname
-
username
-
userPrincipalName
-
-
Click Next, review your settings, then click Save.