--- title: Configuring a Passthrough IdP Adapter description: The Passthrough IdP Adapter allows a user key to be associated with a user's authentication sessions. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_passthrough_adapt canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_passthrough_adapt.html revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Configuring a Passthrough IdP Adapter The Passthrough IdP Adapter allows a user key to be associated with a user's authentication sessions. ## About this task By placing the Passthrough IdP Adapter downstream from an IdP connection in a policy tree, you can take advantage of additional capabilities associated with defining a user key. For example, you can use the user key to [query or revoke a user's authentication sessions](../developers_reference_guide/pf_sess_manage_api_user_identif.html). The adapter automatically sets the `username` attribute in its core contract to match the configured [incoming user ID](pf_specify_incoming_user_ids.html). With an upstream IdP connection, the incoming user ID can be mapped to the connection's `SAML_SUBJECT` attribute. ## Steps 1. Go to **Authentication > Integration > IdP Adapters**. 2. On the **IdP Adapters** page, click **Create New Instance** to start the **Create Adapter Instance** configuration. 3. On the **Type** tab, configure the basics of this adapter instance: 1. Enter the **Instance Name** and **Instance ID**. 2. In the **Type** list, select **Passthrough IdP Adapter**. 3. (Optional) In the **Parent Instance** list, select an existing type. If you are creating an instance that is similar to an existing instance, consider making it a child instance by specifying a parent. A child instance inherits the configuration of its parent unless overridden. You can specify overrides during the rest of the setup. 4. On the **IdP Adapter** tab, there are no configurable fields, so skip to the **Extended Contract** tab. 5. On the **Extended Contract** tab, you can extend the contract by entering the name of the desired attribute and clicking **Add**. You can add multiple attributes. 6. On the **Adapter Attributes** tab, do the following: 1. (Optional) From the **Unique User Key Attribute** list, select an attribute to uniquely identify users signing on with this adapter. The attribute's value is used to identify user sessions across all adapters. **None** is selected by default. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you choose a custom user key attribute, PingFederate uses the value of the attribute after the Adapter Contract Mapping (if any) has been evaluated. If you choose a custom user key attribute that is based on the username, configure the adapter's password credential validators to trim spaces. | 2. Select the checkbox under **Pseudonym** for the user identifier of the adapter and optionally for the other attributes, if available. This selection is used if any of your service provider (SP) partners use pseudonyms for account linking. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | A selection is required whether or not you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user, such as a user's email, to prevent assigning the same pseudonym to multiple users. | 3. Select the checkbox under **Mask Log Values** for any attributes whose values you want PingFederate to mask in its logs at runtime. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | Masking is not applied to the unique user key attribute in the logs even though the attribute used for the key is marked as **Mask Log Values**. | 4. Select the **Mask all OGNL-expression generated log values** checkbox if OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked. 7. On the **Adapter Contract Mapping** tab, configure the adapter contract for this instance with the following optional workflows: * Configure one or more data sources for datastore queries. * Fulfill adapter contract with values from the adapter, the default, datastore queries, if configured, context of the request, text, or expressions, if enabled. * Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract. 8. (Optional) On the **Summary** tab, review your configuration and modify as needed. Click **Save**.