--- title: Configuring a Reference ID Adapter description: The Reference ID Adapter allows user attributes to be passed in and out of the PingFederate server through direct HTTP(S) calls. Attributes are retrieved using a Reference ID. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_config_reference_id_adapt canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_config_reference_id_adapt.html revdate: October 4, 2022 section_ids: steps: Steps --- # Configuring a Reference ID Adapter The Reference ID Adapter allows user attributes to be passed in and out of the PingFederate server through direct HTTP(S) calls. Attributes are retrieved using a Reference ID. ## Steps 1. Go to **Authentication > Integration > IdP Adapters**. 2. On the **IdP Adapters** page, click **Create New Instance** to start the **Create Adapter Instance** configuration. 3. On the **Type** tab, configure the basics of this adapter instance: 1. Enter the **Instance Name** and **Instance ID**. 2. In the **Type** list, select the adapter type. 3. (Optional) In the **Parent Instance** list, select an existing type. If you are creating an instance that is similar to an existing instance, consider making it a child instance by specifying a parent. A child instance inherits the configuration of its parent unless overridden. You can specify overrides during the rest of the setup. 1) On the **IdP Adapter** tab, configure the Reference ID Adapter instance as follows: 1. Enter values for the adapter configuration, as described in the following table. | Field | Description | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authentication Endpoint | The application endpoint URL where the end user is redirected for authentication. | | User Name | The ID that the application uses to authenticate to the PingFederate server. | | Pass Phrase | The pass phrase that the application uses to authenticate to the PingFederate server. | | Allowed Subject DN | The subject DN from the client certificate. If entered, PingFederate restricts client-certificate authentication (when enabled) by matching against this DN. This field supports the asterisk (\\\*) wildcard character and multiple DNs, separated by the pipe '\|'. | | Allowed Issuer DN | The issuer DN from the client certificate. If entered, PingFederate restricts client-certificate authentication (when enabled) by matching against this DN. Supports the asterisk (\\\*) wildcard character and multiple DNs, separated by the pipe '\|'. | | Logout Service Endpoint | The application endpoint URL used for single logout. The **Logout Service Endpoint** works in conjunction with **Logout Mode**. | | Logout Mode | Select the option that determines how the application logout is handled.**Front Channel** - Redirects the user to the application endpoint and expects the application to redirect back to the provided PingFederate resume path.**Back Channel** - Sends a direct HTTP request from the server to the application.The default setting is **None**. | 2. (Optional) Click **Show Advanced Fields** to review or modify default values. 2) On the **Actions** tab, you can optionally click **Show Pass Phrase** to display the pass phrase for the adapter. 3) On the **Extended Contract** tab, extend the contract as needed by entering the name of the desired attribute and clicking **Add**. You can add as many attributes as needed. 4) On the **Adapter Attributes** tab, do the following: 1. (Optional) In the **Unique User Key Attribute** list, select an attribute to uniquely identify users signing on with this adapter. The attribute's value is used to identify user sessions across all adapters. **None** is selected by default. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you choose a custom user key attribute, PingFederate uses the value of the attribute after the Adapter Contract Mapping (if any) has been evaluated. If you choose a custom user key attribute that is based on the username, configure the adapter's password credential validator (PCV) *(tooltip: \
\

Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate.\

\
)* to trim spaces. | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For the HTML Form Adapter, If you enabled the **Revoke Sessions after Password Change or Reset** option on the **IdP Adapter** tab, you cannot select **None** as the unique user key attribute. Doing so results in an error message. | 2. Select the checkbox under **Pseudonym** for the user identifier of the adapter and optionally for the other attributes, if available. This selection is used if any of your service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* partners use pseudonyms for account linking. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | A selection is required whether or not you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user, such as a user's email, to prevent assigning the same pseudonym to multiple users. | 3. Select the checkbox under **Mask Log Values** for any attributes whose values you want PingFederate to mask in its logs at runtime. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | Masking is not applied to the unique user key attribute in the logs even though the attribute used for the key is marked as **Mask Log Values**. | 4. If you plan to use OGNL expressions to map derived values into outgoing assertions and want those values masked, select the **Mask all OGNL-expression generated log values** checkbox. 5) On the **Adapter Contract Mapping** tab, configure the adapter contract for this instance with the following optional workflows: * Configure one or more data sources for datastore queries. * Fulfill adapter contract with values from the adapter, the default, datastore queries, if configured, context of the request, text, or expressions, if enabled. * Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract. 6) (Optional) On the **Summary** tab, review your configuration and modify as needed. Click **Save**.