The PingOne Pass-Through Authentication plugin
The PingOne Pass-Through Authentication plugin allows users to authenticate to the PingDirectory server with a password from PingOne and can optionally update the passwords in PingDirectory after successfully validating it in PingOne.
Although the PingDataSync server supports bidirectional synchronization between the PingDirectory server and PingOne, and it can synchronize password changes from PingDirectory to PingOne, it can’t sync password changes from PingOne to PingDirectory. However, you can use the PingOne Pass-Through Authentication plugin to authenticate to the PingDirectory server with a PingOne password, and can optionally update the password in PingDirectory after successfully validating it in PingOne.
This plugin features a mandatory try-local-bind
configuration property that enables one of the following modes of operation:
-
When
try-local-bind
istrue
, the plugin attempts to authenticate locally first. It sends a request to PingOne only if the local bind attempt fails. -
When
try-local-bind
isfalse
, the plugin attempts to authenticate with PingOne first.
The following table identifies and describes the configuration properties associated with the PingOne Pass-Through Authentication plugin.
Property | Description | Required | Default |
---|---|---|---|
|
URL that the PingDirectory server uses to communicate with PingOne. |
Yes |
N/A |
|
URL that the PingDirectory server uses to authenticate to PingOne. |
Yes |
N/A |
|
OAuth client ID that the PingDirectory server uses to authenticate to PingOne. |
Yes |
N/A |
|
OAuth client secret that the PingDirectory server uses to authenticate to PingOne. |
Yes |
N/A |
|
Identifier for the PingOne environment that contains the users for whom pass-through authentication is attempted. |
Yes |
N/A |
|
If this value is set, authentication attempts are passed to PingOne only for users in a specified distinguished name (DN). If this value is set, only users who exist within a specified base DN allow their authentication attempts to be passed through to PingOne. |
No |
All public naming contexts (if not set) |
|
Reference to a connection criteria object to use to identify the bind requests to pass-through to PingOne based on the server’s knowledge of the client expected to be the address, protocol, and security level. If this property is defined, only client connections that match the criteria are included. If this property is not defined, all clients are included. |
No |
N/A |
|
Reference to a request criteria object to use to identify the bind requests to pass through to PingOne, based on the contents of the request. If this property is defined, only bind requests that match the criteria are included. If this property is not defined, all bind requests are included. |
No |
N/A |
|
Indicates whether the PingDirectory server tries to process the bind locally before forwarding the bind request to PingOne. If this value is set to |
Yes |
|
|
Indicates whether the PingDirectory server attempts to bind to PingOne if the local account has a password. This property is used if If the local bind attempt fails while this value is set to |
Yes |
|
|
Indicates whether the PingDirectory server attempts to set the password for the local user account, regardless of whether one is already set, when the local authentication attempt fails but the attempt to authenticate with PingOne succeeds. This property is used only if If the on-premise PingDirectory server is the authoritative source for passwords, set this property to If PingOne is the authoritative source for passwords, set this property to |
Yes |
|
|
Indicates whether the PingDirectory server bypasses the normal password-validation process when setting the local password from PingOne. This property is used only when both If this value is If this value is |
Yes |
|
|
Set of zero or more password policy state error conditions that are ignored for pass-through authentication. For a list of values and their descriptions, see the following table. |
No |
N/A |
|
Name of an LDAP attribute that is used to map local user entries to the corresponding PingOne account. This property must include the same number of values as the The |
Yes |
N/A |
|
The name of a PingOne field used to map local user entries to the corresponding PingOne account. This property must include the same number and order of values as the |
Yes |
N/A |
|
The System for Cross-domain Identity Management (SCIM) filter included in the search and used to identify the PingOne account that corresponds to the local user entry. If a value is provided for this property, it is used with the SCIM filter that was created to map the local user entry to a PingOne account. If a value is not provided for this property, no additional filter is used. |
No |
N/A |
The following table identifies the values to use with the optional configuration property ignored-password-policy-state-error-condition
and describes the scenarios in which a user is permitted to bind when using pass-through authentication.
Property | Scenario in which a user can still bind by using pass-through authentication |
---|---|
|
The account is locked temporarily because of too many failed attempts. |
|
The account is locked permanently because of too many failed attempts. |
|
The account is locked because the user has not authenticated recently. |
|
The account is locked because an administrator recently reset the password, and the user failed to specify a new password within the allotted time frame. |
|
The password is expired. |
ExampleConfiguring the PingOne Pass-Through Authentication plugin
To create and configure the PingOne Pass-Through Authentication plugin, run dsconfig create-plugin
in a command similar to the following.
dsconfig create-plugin \ --plugin-name "PingOne Pass-Through Authentication" \ --type ping-one-pass-through-authentication \ --set enabled:true \ --set "api-url:<API URL>" \ --set "auth-url:<Auth URL>" \ --set "oauth-client-id:<Client ID>" \ --set "oauth-client-secret:<Client Secret>" \ --set "environment-id:<Environment ID>" \ --set user-mapping-local-attribute:entryUUID \ --set user-mapping-remote-json-field:externalId