Managing target session mappings
You can map a service provider (SP) adapter instance to an identity provider (IdP) connection and complete its mapping configuration through a series of sub tasks.
About this task
When PingFederate receives an SSO token, the corresponding SP adapter is triggered to fulfill its adapter contract based on the connection settings for the purpose of completing the "last-mile" integration with your application. As needed, you can map multiple SP adapter instances to an IdP connection, the same SP adapter instance to multiple IdP connections, or a combination of them.
Alternatively, if you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can skip the mapping of an APC to an IdP connection and configure an APC-to-SP adapter instance mapping configuration.
To learn more about authentication policies, see Authentication policies. |
Furthermore, you can map one or more APCs to an IdP connection to bridge an identity provider to one or more service providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this IdP connection with the applicable SP connections to the service providers; each APC has its own set of attributes to which you can map values from the SSO tokens.
To learn more about federation hub, see Federation hub use cases. |
On the Target Session Mapping tab, if presented, you must associate at least one target session, an SP adapter instance or an authentication policy contract, with an IdP connection. If you have multiple integration requirements, for example, if you are using more than one IdM system or an application not covered by a centralized system, multiple SP adapter instances. If you are bridging an identity provider to multiple service providers, map multiple authentication policy contracts.
The Target Session Mapping configuration does not apply when the No Mapping option is selected on the Identity Mapping tab.
Steps
-
On the Target Session Mapping tab:
Choice Action Map an SP adapter instance
Click Map New Adapter Instance.
Map an APC
Click Map New Authentication Policy.
Edit the mapping configuration of an SP adapter instance or APC
Open it by clicking on its name, select the setting that you want to reconfigure, and complete the change.
Remove an SP adapter or APC or cancel the removal request
Click Delete followed by Save or Undelete.
If you are creating a new connection and you are finished with mapping the required target sessions
Click Done.
If you are editing an existing configuration and want to keep your changes
Click Save.
Result
When target sessions are restricted to certain virtual server IDs, the allowed IDs are displayed under Virtual Server IDs.
If you configure multiple target sessions for a connection, PingFederate selects the applicable adapter instance or authentication policy contract at runtime based on the target resource information in the requests and your configuration For more information, see Configuring target URL mapping. |