Configuring PingFederate as the identity provider
The following task configures the PingFederate server as the identity provider (IdP) for the PingDirectory server.
Before you begin
Download the LDAPS certificate from the PingDirectory server. For more information, see Exporting certificates.
Steps
-
Sign on to the PingFederate administrative console.
-
Import the PingDirectory server LDAPS certificate:
-
Go to Security → Certificate & Key Management → Trusted CAs.
-
Click Import, click Choose File to browse to the certificate, click Next, and then click Save.
-
-
Add an Lightweight Directory Access Protocol (LDAP) datastore:
-
Go to System → Data Stores.
-
Click Add New Data Store.
-
Specify a Name for the data store.
-
Set Type to Directory (LDAP).
-
Click Next.
-
In the Hostname(s) field, enter the PingDirectory server host name and LDAPS port, separated by a colon (for example, 10.101.113.75:1636) and click Add.
-
Select the Use LDAPS check box.
-
Set LDAP Type to PingDirectory.
-
In the User DN field, enter one of the following values based on your PingDirectory configuration:
-
cn=dmanager
-
cn=Directory Manager
These values are based on the assumption that Delegated Admin will run as the directory manager.
-
-
In the Password field, specify the root password.
-
Click Advanced and then Advanced LDAP Options.
-
Select the Create New Connections If Necessary check box.
-
Clear the Verify LDAPS Hostname check box.
-
Click Done.
-
-
Click Test Connection.
-
Click Next.
-
Click Save.
-
-
Create the HTML form IdP Adapter.
The adapter authenticates users against the PingDirectory server.
-
Go to Authentication → IdP Adapters → Create New Instance
-
In the Instance Name field, enter a name such as
PingDirectoryIdP
. -
Specify an Instance ID.
-
Set Type to HTML Form IdP Adapter.
-
Click Next.
-
Go to the bottom of the page and click Manage Password Credential Validators.
-
Create a validator to authenticate users against the PingDirectory server:
-
Click Create New Instance.
-
Specify an Instance Name.
-
Specify an Instance ID.
-
Set Type to LDAP User Name Password Credential Validator.
-
Click Next.
-
Specify an LDAP Datastore.
-
Specify an Search Base.
-
Enter the following text in the Search Filter field to use the email address or user name to sign on to the system.
(|(uid=${username})(mail=${username}))
-
Click Next and extend the contract with
entryUUID
andcn
.These values are used later.
-
Click Next, Done, or Save until you reach the Create Adapter Instance screen.
-
-
Add a new row to Password Credential Validators, choose the new LDAP Password Credential Validator, and click Update.
-
Go to the Extended Contract tab and extend the adapter contract with
entryUUID
andcn
. -
Go to the Adapter Attributes tab, select
entryUUID
for a pseudonym, and then click Next, Next, Done, and Save.
For more information, see Configuring the LDAP Username Password Credential Validator.
-
-
Enable session tracking:
-
Go to Authentication → Sessions
-
Select the Track Adapter Sessions For Logout check box.
-
Select the Track Revoked Sessions On Logout check box.
-
Select the Enable Authentication Sessions For All Sources check box.
-
Click Save.
-