Configuring an adapter instance
Configure the X.509 Certificate IdP Adapter to determine how PingFederate handles X.509 certificates.
Steps
-
Sign on to the PingFederate administrative console.
-
On the Identity Provider > Manage IdP Adapter Instances page, click Create New Instance.
-
On the Type page, set the basic adapter instance attributes.
-
In the Instance Name field, enter a name for the adapter instance.
-
In the Instance ID field, enter a unique identifier for the adapter instance.
-
In the Type list, select X.509 Certificate IdP Adapter. Click Next.
-
-
(Optional) On the IdP Adapter page, in the Constrain Acceptable Root Issuers section, specify the certificate authority (CA) that you want to use to validate end-user X.509 certificates.
Client certificates are always validated against all trusted CAs in PingFederate and the Java Virtual Machine (JVM). This section only restricts which issuers are used to validate end-user certificates.
-
Click Add a new row to Constrain Acceptable Root Issuers.
-
In the Issuer DN field, enter the subject distinguished name (DN) of an issuer listed on the Trusted CAs page in PingFederate.
Learn more about Manage trusted certificate authorities in the PingFederate documentation.
-
In the Action column, click Update.
-
To add more acceptable issuers, repeat steps a - c.
-
-
On the IdP Adapter screen, configure the adapter instance by referring to X.509 Certificate IdP Adapter settings reference. Click Next.
-
On the Extended Contract screen, add any attributes that you want to include in the extended contract. Enter attributes in uppercase. Only attributes specified in RFC 2253 are allowed:
CN
,L
,ST
,O
,OU
,C
,STREET
,DC
, andUID
.You can include subject DN components in this list.
If you selected Parse Client Cert Subject and Issuer DNs on the IdP Adapter page, you can also include the subject DN
email
component and issuer DN components.For issuer DN components, prefix the attribute with
issuer_
, such asissuer_CN
. -
Complete the adapter configuration.
-
On the Summary page, verify that the configuration is correct. Click Done.
-
On the Manage IdP Adapter Instances page, click Save.
-
If you configured the Client Auth Hostname field, in
<pf_install>/pingfederate/server/default/data/config-store/session-cookie-config.xml
, add your domain with a preceding period to the<c:item name="cookie-domain"></c:item>
, such as<c:item name="cookie-domain">.example.com</c:item>
.