Bundled adapters and authenticators
PingFederate comes bundled with the following adapters and authenticators to enable common deployment scenarios.
Bundled adapters
- Composite Adapter
-
Allows multiple configured identity provider (IdP) adapters to execute in sequence. Depending on the authentication context, use this capability, called adapter chaining, for either single-adapter usage or to support multi-factor authentication through a series of adapters. For more information, see Composite Adapter.
- HTML Form Adapter
-
Used in conjunction with Password Credential Validators. These adapters provide integration with user-datastores in directory servers or locally. For more information, see HTML Form Adapter.
- HTTP Basic Adapter
-
Used in conjunction with Password Credential Validators. These adapters provide integration with user-data stores in directory servers or locally. For more information, see HTTP Basic Adapter.
- Identifier First Adapter
-
include::partial$pf_rc_identifierfirstadapter_introduction.adoc[tags=pf_ph_identifierFirstAdapter_introduction] For more information, see Identifier First Adapter.
- Kerberos Adapter
-
Provides a seamless desktop SSO experience for Windows environments and supports authentication mechanism assurance from the Active Directory domain service. For new configurations and as a simpler alternative to the separately-available IWA Integration Kit, use this adapter. For more information, see Kerberos Adapter.
- OpenToken Adapter
-
Provides a generic interface for integrating with various applications, including Java- and .NET-based applications. For more information, see OpenToken Adapter.
- Passthrough IdP Adapter
-
The Passthrough IdP Adapter allows a user key to be associated with a user’s authentication sessions. By placing the Passthrough IdP Adapter downstream from an IdP connection in a policy tree, you can take advantage of additional capabilities associated with defining a user key. For more information, see Configuring a Passthrough IdP Adapter.
- PingID Adapter
-
PingID is a cloud-based authentication service that binds user identities to their devices, making it an effective multi-factor authentication solution. For more information, see the PingID documentation.
- PingOne DaVinci Adapter
-
Allows PingFederate to use PingOne as an IdP as part of your PingFederate authentication policy. For more information, see PingOne DaVinci Integration Kit.
- PingOne MFA Adapter
-
Allows PingFederate to use the PingOne MFA service for multi-factor authentication (MFA). For more information, see PingOne MFA Integration Kit.
- PingOne Protect Adapter
-
When a user signs on through PingFederate, the adapter sends the transaction information to the PingOne Protect service and retrieves a risk evaluation and other information about the user’s current and previous transactions. For more information, see PingOne Risk Kit.
- PingOne Verify Adapter
-
Allows PingFederate to use the PingOne Verify service to trigger an identity verification challenge as part of the PingFederate authentication policy or registration flow. For example, you can use this adapter for personal identity verification based on a government issued photo ID. For more information, see PingOne Verify Integration Kit.
Bundled authentication selectors
PingFederate provides plugin authentication selectors, which enable dynamic selection of authentication sources based on administrator-specified criteria. Along with the Composite Adapter and token authorization, the selectors enable dynamic integration with an organization’s authentication or authorization policies, also known as adaptive federation.
To select subsequent selectors or authentication sources for handling complex hierarchical access-policy decisions, use the results of authentication-selection criteria evaluation. For more information, see Authentication policies. |
- CIDR Authentication Selector
-
Provides a means of choosing authentication sources or other authentication sources at runtime based on whether an end-user’s IP address falls within specified ranges using Classless Inter-Domain Routing notation. This selector allows administrators to determine, for example, whether an SSO request originates inside or outside the corporate firewall and use different authentication integration accordingly. For more information, see Configuring the CIDR Authentication Selector.
- Cluster Node Authentication Selector
-
Provides a means of picking authentication sources or other authentication sources at runtime based on the PingFederate cluster node that is servicing the request. For example, you can configure this selector to choose whether PingFederate attempts Integrated Windows Authentication based on the PingFederate cluster node with which a Key Distribution Center is associated. For more information, see Configuring the Cluster Node Authentication Selector.
- Connection Set Authentication Selector
-
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the target SP connection used in an SSO request and SP connections configured within PingFederate. For example, administrators with different requirements for SP connections can override connection adapter selection on an individual connection basis. For more information, see Configuring the Connection Set Authentication Selector.
- Extended Property Authentication Selector
-
Enables PingFederate to choose configured authentication sources or other selectors based on a match found between a selector result value and an extended property value from the invoking browser-based SSO connections or OAuth client. For more information, see Configuring the Extended Property Authentication Selector.
- HTTP Header Authentication Selector
-
Provides a means of choosing authentication sources or other authentication sources at runtime based on a match found using wildcard expressions in an HTTP header. This selector allows administrators to determine, for example, authentication behavior based on the type of browser. For more information, see Configuring the HTTP Header Authentication Selector.
- HTTP Request Parameter Authentication Selector
-
Provides a means of selecting authentication sources or other authentication sources at runtime based on query parameter values in the HTTP request. For more information, see Configuring the HTTP Request Parameter Authentication Selector.
- OAuth Client Set Authentication Selector
-
Enables PingFederate to choose configured authentication sources or other selectors based on a match found between the client information in an OAuth request and the OAuth clients configured in the PingFederate OAuth authorization server (AS). This selector allows you to override client authentication selection on an individual client basis in one or more authentication policies. For more information, see Configuring the OAuth Client Set Authentication Selector.
- OAuth Scope Authentication Selector
-
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS). For example, if a client requires write access to a resource, administrators can configure the selector to choose an adapter that offers a stronger form of authentication such as the X.509 client certificate rather than username and password. For more information, see Configuring the OAuth Scope Authentication Selector.
- Requested AuthN Context Authentication Selector
-
Provides a means of picking authentication sources or other authentication sources at runtime based on the authentication context requested by an SP, for SP-initiated SSO. Configured authentication sources are mapped either to SAML-specified contexts or any ad-hoc context agreed upon between the IdP and SP partners. For more information, see Configuring the Requested AuthN Context Authentication Selector.
- Session Authentication Selector
-
Enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source. For more information, see Configuring the Session Authentication Selector. NOTE: Authentication selectors rely on HTTP requests, HTTP headers, POST data, or a combination of them. Ensure that standard security measures are in place when using these selectors.
Software development kit (SDK)
The PingFederate SDK provides a flexible means of creating custom adapters to integrate federated identity management into your system environment. For more information, see the PingFederate SDK Developer’s Guide.