---
title: Configuring PingFederate as the identity provider
description: The following task configures the PingFederate server as the identity provider (IdP) for the PingDirectory server.
component: pingdirectory
version: 11.0
page_id: pingdirectory:delegated_admin_application_guide:pd_da_config_pf_as_idp
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_config_pf_as_idp.html
revdate: May 20, 2024
section_ids:
  before-you-begin: Before you begin
  steps: Steps
---

# Configuring PingFederate as the identity provider

The following task configures the PingFederate server as the identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)* for the PingDirectory server.

## Before you begin

Download the LDAPS certificate from the PingDirectory server. For more information, see [Exporting certificates](../managing_servers_and_certificates/pd_ds_export_certificates.html).

## Steps

1. Sign on to the PingFederate admin console.

2. Import the PingDirectory server LDAPS certificate:

   1. Go to **Security → Certificate & Key Management → Trusted CAs**.

   2. Click **Import**, click **Choose File** to browse to the certificate, click **Next**, and then click **Save**.

3. Add an Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
   \<p>An open, cross platform protocol used for interacting with directory services.\</p>
   \</div>)* datastore:

   1. Go to **System → Data Stores**.

   2. Click **Add New Data Store**.

   3. Specify a **Name** for the data store.

   4. Set **Type** to **Directory (LDAP)**.

   5. Click **Next**.

   6. In the **Hostname(s)** field, enter the PingDirectory server host name and LDAPS port, separated by a colon (for example, 10.101.113.75:1636) and click **Add**.

   7. Select the **Use LDAPS** check box.

   8. Set **LDAP Type** to PingDirectory.

   9. In the **User DN** field, enter one of the following values based on your PingDirectory configuration:

      * `cn=dmanager`

      * `cn=Directory Manager`

        |   |                                                                                                  |
        | - | ------------------------------------------------------------------------------------------------ |
        |   | These values are based on the assumption that Delegated Admin will run as the directory manager. |

   10. In the **Password** field, specify the root password.

   11. Click **Advanced** and then **Advanced LDAP Options**.

       1. Select the **Create New Connections If Necessary** check box.

       2. Clear the **Verify LDAPS Hostname** check box.

       3. Click **Done**.

   12. Click **Test Connection**.

   13. Click **Next**.

   14. Click **Save**.

4. Create the HTML form IdP Adapter.

   The adapter authenticates users against the PingDirectory server.

   1. Go to **Authentication → IdP Adapters → Create New Instance**

   2. In the **Instance Name** field, enter a name such as `PingDirectoryIdP`.

   3. Specify an **Instance ID**.

   4. Set **Type** to **HTML Form IdP Adapter**.

   5. Click **Next**.

   6. Go to the bottom of the page and click **Manage Password Credential Validators**.

   7. Create a validator to authenticate users against the PingDirectory server:

      1. Click **Create New Instance**.

      2. Specify an **Instance Name**.

      3. Specify an **Instance ID**.

      4. Set **Type** to **LDAP User Name Password Credential Validator**.

      5. Click **Next**.

      6. Specify an **LDAP Datastore**.

      7. Specify an **Search Base**.

      8. Enter the following text in the **Search Filter** field to use the email address or user name to sign on to the system.

         `(|(uid=${username})(mail=${username}))`

      9. Click **Next** and extend the contract with `entryUUID` and `cn`.

         |   |                              |
         | - | ---------------------------- |
         |   | These values are used later. |

      10. Click **Next**, **Done**, or **Save** until you reach the **Create Adapter Instance** screen.

   8. Add a new row to **Password Credential Validators**, choose the new LDAP Password Credential Validator, and click **Update**.

   9. Go to the **Extended Contract** tab and extend the adapter contract with `entryUUID` and `cn`.

   10. Go to the **Adapter Attributes** tab, select `entryUUID` for a pseudonym, and then click **Next**, **Next**, **Done**, and **Save**.

       Learn more about [Configuring the LDAP Username Password Credential Validator](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configure_ldap_username_pcv.html) in the PingFederate documentation.

5. Enable session tracking:

   1. Go to **Authentication → Sessions**

   2. Select the **Track Adapter Sessions For Logout** check box.

   3. Select the **Track Revoked Sessions On Logout** check box.

   4. Select the **Enable Authentication Sessions For All Sources** check box.

   5. Click **Save**.