---
title: Managing authentication source mappings
description: On the Authentication Source Mapping tab, you can map identity provider (IdP) adapters and authentication policies to authenticate users to your service provider (SP).
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_assertioncreationtasklet_idpadaptermappingstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_assertioncreationtasklet_idpadaptermappingstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Managing authentication source mappings

On the **Authentication Source Mapping** tab, you can map identity provider (IdP) adapters and authentication policies to authenticate users to your service provider (SP).

## About this task

IdP adapters are responsible for handling user authentication as part of an single sign-on (SSO) operation. A configured adapter in PingFederate is known as an adapter instance.

In a basic scenario, you map an IdP adapter instance to a SP connection on the **Authentication Source Mapping** tab and complete its mapping configuration through a series of sub tasks. When a user starts an SSO request, the corresponding IdP adapter is triggered to authenticate the user. Upon successful authentication, PingFederate creates and sends an SSO token to the SP based on the connection settings. As needed, you can map multiple IdP adapter instances to an SP connection, the same IdP adapter instance to multiple SP connections, or a combination of them.

If you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can map the APC to your connection. Like IdP adapter instances, you can map multiple APCs to an SP connection, the same APC to multiple SP connections, or a combination of them.

|   |                                                                                                                                   |
| - | --------------------------------------------------------------------------------------------------------------------------------- |
|   | For more information about authentication policies and contracts, see [Authentication policies](pf_authentication_policies.html). |

You can also map one or more APCs to an SP connection to bridge a service provider to one or more identity providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this SP connection with the applicable IdP connections to the identity providers. Each APC has its own set of attributes which you map values to the SSO tokens.

|   |                                                                                                                                          |
| - | ---------------------------------------------------------------------------------------------------------------------------------------- |
|   | For more information about the federation hub, see [Federation hub use cases](../introduction_to_pingfederate/pf_fed_hub_use_case.html). |

Regardless of how many IdP adapter instances and APCs are mapped to an SP connection, PingFederate uses only one adapter instance or policy path to authenticate a user. You can leave the decision to the users or create authentication policies to mandate authentication requirements. Because each adapter instance or APC could return different user attributes, each mapping must define how the attribute contract is fulfilled in its mapping configuration.

## Steps

1. For initial steps to configure SP connections, see [Accessing SP connections](help_spconnectionstasklet_connmgmtstate.html).

2. For initial steps to configure Browser SSO, see [Configure IdP Browser SSO](help_spconnectionconfigtasklet_spbrowserssostate.html).

3. For initial steps to configure assertion creation. see [Configuring SSO token creation](help_spbrowserssotasklet_assertioncreationstate.html).

4. On the **Authentication Source Mapping** tab, select one of the following.

   ### Choose from:

   * Click **Map New Adapter Instance** to map a new IdP Adapter instance. For more information, see [Mapping an adapter instance](pf_mapping_adapter_instance.html).

   * Click **Map New Authentication Policy** to map a new APC. For more information, see [Mapping an authentication policy](pf_mapp_auth_policy.html)

   * Click on an existing instance to edit its configuration.

   * Click **Delete** to remove an existing adapter instance or APC. Click **undelete** to cancel the removal request

   When authentication sources, such as IdP adapter instances or connection mapping contracts, are restricted to certain virtual server IDs, the allowed IDs are displayed under **Virtual Server IDs**.

5. When your authentication sources have been mapped, click **Next** save your changes.