Configuring directories for account-link storage
You can create and configure a directory server to store account linking data.
Before you begin
|
User accounts for linking must exist in the directory prior to establishing the account link. The Account Linking Service does not add users to the directory server, it only updates |
Steps
-
Go to System → Data & Credential Stores → Data Stores and create a new datastore to connect PingFederate to the directory. For more information, see Configuring an LDAP connection.
-
Copy the system ID of the new account-linking datastore.
-
Edit the
hivemodule.xmlfile.The file is located in the
<pf_install>/pingfederate/server/default/conf/META-INFdirectory.Locate the
service-pointfor the Account Linking Service, as shown in the following example.... <!-- Service/adapter for storage of account linking --> <service-point id="AccountLinkingService" interface="org.sourceid.saml20.service.AccountLinkingService"> <!-- Supported classes are org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl : Use this service-point for a database implementation org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl : Use this service-point for an LDAP implementation --> <create-instance class="org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl"/> </service-point> ...
Update the
classvalue toorg.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl, as shown in the following example.... <!-- Service/adapter for storage of account linking --> <service-point id="AccountLinkingService" interface="org.sourceid.saml20.service.AccountLinkingService"> ... <create-instance class="org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl"/> </service-point> ...
Locate the Service-Point ID for AccountLinkingService and change the value of the
create-instance classtoorg.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl. -
Edit the
<pf_install>/org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl.xmlfile.The following example shows the default content of the file.
<?xml version="1.0" encoding="UTF-8"?> <c:config xmlns:c="http://www.sourceid.org/2004/05/config"> <!-- Data store id --> <c:item name="PingFederateDSJNDIName"></c:item> <!-- LDAP search base --> <c:item name="UserSearchBase"></c:item> <!-- LDAP username attribute. ex: sAMAccountName --> <c:item name="UsernameAttribute"></c:item> <!-- Attribute on user object to place Account Linking data --> <c:item name="AccountLinkDataAttribute"></c:item> </c:config>Insert the applicable values between the XML tags as shown in the following table.
Item name Element value PingFederateDSJNDINameThe system ID of new account-linking datastore.
UserSearchBaseThe location in the directory server from which the search begins.
UsernameAttributeThe attribute that represents the user identifier.
AccountLinkDataAttributeThe attribute to store account linking data.
The
AccountLinkDataAttributecan be any multivalued string attribute on a user object class. We recommend that you extend the LDAP schema with a custom attribute for use here. For more information on extending the Active Directory schema, see Extending the Schema from Microsoft. -
Start or restart PingFederate.
-
If you are running PingFederate in a cluster, go to System → Server → Cluster Management and replicate this change to the other runtime servers.
You must also manually apply the changes made in the
hivemodule.xmlfile and then start or restart PingFederate on each runtime server. -
In the directory, create equality indexes on the LDAP attribute types you specified for the configuration properties
UsernameAttributeandAccountLinkDataAttribute.Example:
For example, you would need to create equality indexes on
sAMAccountNameandAccountLinkif you had specified the following in step 4:<!-- LDAP username attribute. ex: sAMAccountName --> <c:item name="UsernameAttribute">sAMAccountName</c:item> <!-- Attribute on user object to place Account Linking data --> <c:item name="AccountLinkDataAttribute">AccountLink</c:item>