---
title: Authentication configuration
description: The delegated administrator signs on to Delegated Admin through your chosen identity provider (IdP), which is configured as the authentication server and OpenID Connect (OIDC) provider.
component: pingdirectory
version: 11.0
page_id: pingdirectory:delegated_admin_application_guide:pd_da_authn_config
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_authn_config.html
revdate: September 18, 2023
section_ids:
  interaction-with-the-pingdirectory-server: Interaction with the PingDirectory server
  authorization-by-the-pingdirectory-server: Authorization by the PingDirectory server
---

# Authentication configuration

The delegated administrator signs on to Delegated Admin through your chosen identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)*, which is configured as the authentication server and OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
\</div>)* provider.

The IdP validates the user's credentials against the PingDirectory server, encapsulates information claims about the user's identity, and issues an access token *(tooltip: \<div class="paragraph">
\<p>A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\</p>
\</div>)* to Delegated Admin. Delegated Admin then presents the token to the PingDirectory server in the HTTP Authorization request header.

## Interaction with the PingDirectory server

The PingDirectory server is configured to accept access tokens by using access token validators. The values that the IdP sets for the access token `sub` claim must be mappable to a distinguished name (DN) *(tooltip: \<div class="paragraph">
\<p>A name uniquely identifying an object within the hierarchy of a directory tree.\</p>
\</div>)* in the PingDirectory server. Setting up an access token validator for use with Delegated Admin requires some coordination with the server configuration. In the suggested default configuration, the access token contains the entryUUID of the administrator user entry in the `sub` claim. This value is mapped back to a PingDirectory server entry by using an Exact Match Identity Mapper.

## Authorization by the PingDirectory server

After validation, the PingDirectory server checks the Delegated Admin configuration for authorization of the delegated administrator. Users or groups of users are authorized as delegated administrators in the PingDirectory server admin console or with the `dsconfig` tool.