--- title: Configuring a Username Token Processor instance description: The integrated Username Token Processor accepts and validates username security tokens. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_username_token_processor_instance canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_username_token_processor_instance.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps result: Result: --- # Configuring a Username Token Processor instance The integrated Username Token Processor accepts and validates username security tokens. ## Steps 1. Go to **Authentication > Token Exchange > Token Processors** to open the **Token Processors** window. 2. Select on an existing token processor instance by clicking its name in the **Instance Name** section, or create a new instance by clicking **Create New Instance**. ### Result: This will open the **Create Token Processor Instance** window configuration. 3. On the **Instance Configuration** tab, configure the basics of this token processor instances. 1. If you have not yet defined the desired Password Credential Validator instance, click **Manage Password Credential Validators** to do so. 2. Click **Add a new row to 'Credential Validators'** to select a credential-authentication mechanism instance for this adapter instance. 3. From the **Password Credential Validator Instance** list, select a Password Credential Validator instance. Click **Update**.Add as many validators as necessary. Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If the first mechanism fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the Password Credential Validator instances can authenticate the user's credentials, and the challenge retries maximum has been reached, the process fails. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If usernames overlap across multiple Password Credential Validator instances, this failover setup could lock out those accounts in their source locations. | 4. In the **Field Value** section, enter a value in the **Authentication Attempts**. When the number of login failures reaches this threshold, the user is locked out for a period of time. The default value is `3`.