Password Credential Validators
PingFederate provides an authentication mechanism using plugin password credential validators (PCVs). This feature provides centralized credential validation for various PingFederate components and configurations.
To manage Password Credential Validators, go to System → Data & Credential Stores → Password Credential Validators.
For each instance of the HTML Form Adapter, the HTTP Basic Adapter, and the Username Token Processor, you can select the same PCV instance, a unique PCV instance, or multiple PCV instances. When you select multiple PCV instances for a given adapter or token processor instance, if the first PCV instance fails to authenticate a user, the PCV returns control to the adapter or the token processor. The adapter or the token processor then tries the next PCV instance. The cycle stops until a PCV instance succeeds or the last PCV instance also fails.
For OAuth clients using the Resource Owner Password Credentials grant type, you configure a grant-mapping configuration to fulfill the persistent grant contract using the attribute values from the applicable PCV instances.
You can only create one grant-mapping configuration per applicable PCV instance. |
If you want to manage OAuth client records using the OAuth Client Management Service or persistent grants using the OAuth Access Grant Management Service, you must select a PCV instance when configuring authorization server settings. When accessing these services, you must include in the requests valid credentials via HTTP Basic authentication scheme.
PingFederate is distributed with the following plugin PCVs.
- LDAP Username Password Credential Validator
-
Validates credentials based on an LDAP look-up in an organization’s user-datastore.
- PingID PCV (with integrated RADIUS server)
-
Validates credentials from a VPN RADIUS client based on an LDAP look-up in an organization’s user-datastore. For more information, see Integrate PingID with your VPN.
- PingOne for Enterprise Directory Password Credential Validator
-
Validates credentials stored in PingOne for Enterprise Directory.
- RADIUS Username Password Credential Validator
-
Validates credentials based on the RADIUS protocol on an organization’s RADIUS server.
- Simple Username Password Credential Validator
-
Validates credentials maintained by PingFederate.
By default, PingFederate automatically checks multi-connection errors whenever you access this window. This verifies that configured connections are not adversely affected by changes made here. If you experience noticeable delays in accessing this window, you can disable automatic connection validation. Go to System → Server → General Settings. |