--- title: Configuring a Kerberos Adapter instance for SSO authentication description: When integrating PingFederate with Windows client applications so that they can use single sign-on to authenticate, create and configure an instance of the Kerberos Adapter. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_kerberos_adapt_instance canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_kerberos_adapt_instance.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps related-links: Related links --- # Configuring a Kerberos Adapter instance for SSO authentication When integrating PingFederate with Windows client applications so that they can use single sign-on to authenticate, create and configure an instance of the Kerberos Adapter. ## Steps 1. Go to **Authentication > Integration > IdP Adapters**. 2. On the **IdP Adapters** page, click **Create New Instance** to start the **Create Adapter Instance** configuration. 3. On the **Type** tab, configure the basics of this adapter instance: 1. Enter the **Instance Name** and **Instance ID**. 2. In the **Type** list, select the adapter type. 3. (Optional) In the **Parent Instance** list, select an existing type. If you are creating an instance that is similar to an existing instance, consider making it a child instance by specifying a parent. A child instance inherits the configuration of its parent unless overridden. You can specify overrides during the rest of the setup. 1) On the **IdP Adapter** window, configure your Kerberos Adapter instance. See the on-window field descriptions and the following table for more information. | Field | Description | | ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Domain/Realm Name**(Required) | Select your Windows domain.If the domain or realm you want does not appear, click **Manage Active Directory Domains/Kerberos Realms** to add it. For more information, see [Active Directory and Kerberos](pf_active_directory_kerberos.html). | | **Error URL Redirect** | Enter a URL for redirecting the user if there are errors. This URL has an `errorMessage` query parameter appended to it, which contains a brief description of the error that occurred. The error page can optionally display this message on the window to provide guidance on remedying the problem. In the case of an error, if you define an Error URL Redirect and the adapter instance is included in an instance of the Composite Adapter, the user is redirected to the configured error URL rather than continuing on to the next adapter in the chain. Leave this field blank to have the adapter continue on to the next adapter. When employing the errorMessage query parameter in a custom error page, adhere to Web-application security best practices to guard against common content injection vulnerabilities. If no URL is specified, the appropriate default error landing page appears. | | Click **Show Advanced Fields** to review the following settings. Modify as needed. | | | **Error Template** | When selected, displays a template to provide standardized information to the end user when authentication fails. The **Error URL Redirect** value is ignored.The template `kerberos.error.template.html` in the `/pingfederate/server/default/conf/template` directory uses the Velocity template engine and can be modified in a text editor to suit your particular branding and informational needs. For example, you can give the user the option to try again if authentication fails. For more information on Velocity templates, see [Customizable user-facing pages](pf_custom_user_facing_pages.html). | | **Fail when Re-authentication is Requested** | When the checkbox is selected, if PingFederate receives an authentication request containing a re-authentication parameter, the adapter will respond with a failure status so that the policy's failure branch is followed.For OAuth 2.0, the re-authentication parameter is `ForceAuthn=true`. For OpenID Connect, the re-authentication parameter is `prompt=login`.By default, the checkbox is cleared. | | **Authentication Context Value** | This can be any value agreed to with your SP partner to indicate the type of credentials used to authenticate. Standard URIs are defined in the SAML specifications. For more information on SAML specifications, see the OASIS documents and [saml-authn-context-2.0-os.pdf](https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf).If left blank, PingFederate sets the authentication context as follows:- `urn:oasis:names:tc:SAML:1.0:am:unspecified` for SAML 1.x - `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified` for SAML 2.0Either an instance of the Requested AuthN Context Authentication Selector or the `SAML_AUTHN_CTX` attribute can override the authentication context in the SAML attribute contract. The latter takes precedence. | 2) On the **Extended Contract** tab, configure additional attributes for this adapter instance as needed. The Kerberos Adapter contract includes four core attributes: `Domain/Realm Name`, `ObjectSID`, `SIDs`, and `Username`. 3) On the **Adapter Attributes** tab, do the following: 1. (Optional) In the **Unique User Key Attribute** list, select an attribute to uniquely identify users signing on with this adapter. The attribute's value is used to identify user sessions across all adapters. **None** is selected by default. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you choose a custom user key attribute, PingFederate uses the value of the attribute after the Adapter Contract Mapping (if any) has been evaluated. If you choose a custom user key attribute that is based on the username, configure the adapter's password credential validator (PCV) *(tooltip: \
\

Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate.\

\
)* to trim spaces. | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For the HTML Form Adapter, If you enabled the **Revoke Sessions after Password Change or Reset** option on the **IdP Adapter** tab, you cannot select **None** as the unique user key attribute. Doing so results in an error message. | 2. Select the checkbox under **Pseudonym** for the user identifier of the adapter and optionally for the other attributes, if available. This selection is used if any of your service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* partners use pseudonyms for account linking. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | A selection is required whether or not you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user, such as a user's email, to prevent assigning the same pseudonym to multiple users. | 3. Select the checkbox under **Mask Log Values** for any attributes whose values you want PingFederate to mask in its logs at runtime. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | Masking is not applied to the unique user key attribute in the logs even though the attribute used for the key is marked as **Mask Log Values**. | 4. If you plan to use OGNL expressions to map derived values into outgoing assertions and want those values masked, select the **Mask all OGNL-expression generated log values** checkbox. 4) On the **Adapter Contract Mapping** tab, configure the adapter contract for this instance with the following optional workflows: * Configure one or more data sources for datastore queries. * Fulfill adapter contract with values from the adapter, the default, datastore queries, if configured, context of the request, text, or expressions, if enabled. * Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract. 5) (Optional) On the **Summary** tab, review your configuration and modify as needed. Click **Save**. 6) When finished in the **IdP Adapters** window, click **Save** to confirm the adapter instance configuration. If you want to exit without saving the configuration, click **Cancel**. ## Related links * [Customizable user-facing pages](pf_custom_user_facing_pages.html)