PingFederate Server

Configuring directories for account-link storage

You can create and configure a directory server to store account linking data.

Before you begin

User accounts for linking must exist in the directory prior to establishing the account link. The Account Linking Service does not add users to the directory server, it only updates AccountLinkDataAttribute for a given user.

Steps

  1. Go to System > Data & Credential Stores > [.wintitle] Data Stores** and create a new datastore to connect PingFederate to the directory. For more information, see Configuring an LDAP connection.

  2. Copy the system ID of the new account-linking datastore.

  3. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

    Locate the service-point for the account linking service.

    # Service/adapter for storage of account linking
# Supported classes:
# org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl : Use this service-point for a database implementation
# org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl : Use this service-point for an LDAP implementation
account.linking.service=org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl

    Update the class value to org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl.

  4. Edit the <pf_install>/org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl.xml file.

    The following example shows the default content of the file.

    <?xml version="1.0" encoding="UTF-8"?>
<c:config xmlns:c="http://www.sourceid.org/2004/05/config">

   <!-- Data store id -->
   <c:item name="PingFederateDSJNDIName"></c:item>

   <!-- LDAP search base -->
   <c:item name="UserSearchBase"></c:item>

   <!-- LDAP username attribute.  ex: sAMAccountName -->
   <c:item name="UsernameAttribute"></c:item>

   <!-- Attribute on user object to place Account Linking data -->
   <c:item name="AccountLinkDataAttribute"></c:item>

</c:config>

    Insert the applicable values between the XML tags as shown in the following table.

    Item name Element value

    PingFederateDSJNDIName

    The system ID of new account-linking datastore.

    UserSearchBase

    The location in the directory server from which the search begins.

    UsernameAttribute

    The attribute that represents the user identifier.

    AccountLinkDataAttribute

    The attribute to store account linking data.

    +

    The AccountLinkDataAttribute can be any multivalued string attribute on a user object class. We recommend that you extend the LDAP schema with a custom attribute for use here. Learn more about extending the Active Directory schema in Extending the Schema in the Microsoft documentation.

  5. Start or restart PingFederate.

  6. If you are running PingFederate in a cluster, go to System > Server > Cluster Management and replicate this change to the other runtime servers.

    You must also manually apply the changes made in the service-points.conf file and then start or restart PingFederate on each runtime server.

  7. In the directory, create equality indexes on the LDAP attribute types you specified for the configuration properties UsernameAttribute and AccountLinkDataAttribute.

    Example:

    For example, you would need to create equality indexes on sAMAccountName and AccountLink if you had specified the following in step 4:

    <!-- LDAP username attribute. ex: sAMAccountName -->
<c:item name="UsernameAttribute">sAMAccountName</c:item>

<!-- Attribute on user object to place Account Linking data -->
<c:item name="AccountLinkDataAttribute">AccountLink</c:item>