PingOne Credentials Integration Kit

Extending the contract

Apply the same extended contract changes to the policy contract and OpenToken SP adapter. Map the policy contract to the authentication policy’s IdP adapter success step and the browser SSO of the SP and IdP connections.

Before you begin

This procedure assumes that you’ve created:

  1. An OpenToken SP adapter. Learn more in Configuring an OpenToken SP adapter instance.

  2. The authentication policy that you want to use the PingOne Credentials IdP Adapter in. Learn more in Authentication Policies.

  3. An SP connection for the OpenToken SP adapter and an IdP connection for the PingOne Credentials IdP Adapter. Learn more in SP connection management and Managing IdP adapters.

About this task

Complete this procedure to finish configuring the PingOne Credentials IdP Adapter and successfully use the same device or different device SSO flow to collect the credential attribute values presented from the user’s digital wallet. Chained adapters can then use the collected attribute values later in the configured PingFederate authentication policy flow.

Credential attributes can’t be added to the core attribute contract because administrators might require different credential types and attributes for verification. Unlike with the PingOne Verify integration kit, administrators must configure the PingOne Credentials IdP Adapter credential fields manually, then extend the attribute contract to match.

Steps

  1. Create the same extended contract from the Configuring an adapter instance procedure in a PingFederate policy contract:

    Learn more in Policy contracts.

    You will use this policy contract in steps 2, 4, and 5.

    1. Go to Authentication > Policies > Policy Contracts and click Create New Contract.

    2. On the Contract Info tab, in the Contract Name field, enter a unique value, then click Next.

      For example, PingOne Credentials contract.

    3. On the Contract Attributes tab, add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure. Click Save, then click Next.

      For example, verifiedEmployee.firstName and verifiedEmployee.lastName.

    4. On the Summary tab, click Save.

  2. Map the policy contract that you created in step 2 to the PingOne Credentials IdP Adapter contract on the adapter’s success step in the authentication policy:

    Learn more in Applying policy contracts or identity profiles to authentication policies.

    1. Go to Authentication > Policies > Policies and edit the authentication policy that you’ve included the PingOne Credentials IdP Adapter in.

    2. In the Policy section, expand the Success step containing the PingOne Credentials IdP Adapter, and click Contract Mapping under the adapter’s Success step.

    3. On the Contract Fulfillment tab, add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure.

      For each attribute, select the adapter as the Source and add the attribute as the Value.

    4. On the Contract Fulfillment tab, click Done, then click Next.

    5. On the Summary tab, click Done.

  3. Create the same extended contract from the Configuring an adapter instance procedure in your OpenToken SP adapter instance:

    Learn more in Extending an SP adapter contract.

    1. Go to Applications > SP Adapters and open your OpenToken SP adapter configuration.

    2. On the Extended Contract tab, add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure. Click Save, then click Next.

    3. On the Summary tab, click Save.

  4. Map the policy contract that you created in step 2 to the Browser SSO section of the SP connection:

    Learn more in Configuring SP browser SSO.

    1. Go to Applications > SP Connections and open the connection that you used for your SP adapter.

    2. On the Browser SSO tab, click Configure Browser SSO, go to the Assertion Creation tab, click Configure Assertion Creation, and then go to the Attribute Contract tab.

    3. In the Extend the Contract section, add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure. Click Save, then Next.

      For each attribute, use urn:oasis:names:tc:SAML:2.0:attrname-format:basic as the Attribute Name Format.

    4. On the Authentication Source Mapping tab, confirm that your PingOne Credentials policy contract is mapped in the Authentication Policy Contract Name section.

    5. Open the authentication policy mapping, go to the Attribute Contract Fulfillment tab, and add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure.

      For each attribute, use Authentication Policy Contract as the Source and the attribute as the Value.

    6. Click Save, then Done.

  5. Map the policy contract that you created in step 2 to the Browser SSO section of the IdP connection:

    Learn more in Configuring IdP Browser SSO.

    1. Go to Authentication > IdP Connections and open the connection associated with the PingOne Credentials IdP Adapter.

    2. On the Browser SSO tab, click Configure Browser SSO, go to the User-Session Creation tab, click Configure User-Session Creation, and then go to the Attribute Contract tab.

    3. In the Extend the Contract section, add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure. Click Save, then Next.

    4. On the Target Session Mapping tab, confirm that your PingOne Credentials IdP Adapter is mapped in the Adapter Instance Name section.

    5. Open the adapter instance mapping, go to the Adapter Contract Fulfillment tab, and add the same attributes that you added to the extended contract in step 7 of the Configuring an adapter instance procedure.

      For each attribute, use Assertion as the Source and the attribute as the Value.

    6. Click Save, then Done.