Managing target session mappings

You can map a service provider (SP) adapter instance to an identity provider (IdP) connection and complete its mapping configuration through a series of sub tasks.

When PingFederate receives an SSO token, the corresponding SP adapter is triggered to fulfill its adapter contract based on the connection settings for the purpose of completing the "last-mile" integration with your application. As needed, you can map multiple SP adapter instances to an IdP connection, the same SP adapter instance to multiple IdP connections, or a combination of them.

Alternatively, if you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can skip the mapping of an APC to an IdP connection and configure an APC-to-SP adapter instance mapping configuration.

Furthermore, you can map one or more APCs to an IdP connection to bridge an identity provider to one or more service providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this IdP connection with the applicable SP connections to the service providers; each APC has its own set of attributes to which you can map values from the SSO tokens.

On the Target Session Mapping tab, if presented, you must associate at least one target session, an SP adapter instance or an authentication policy contract, with an IdP connection. If you have multiple integration requirements, for example, if you are using more than one IdM system or an application not covered by a centralized system, multiple SP adapter instances. If you are bridging an identity provider to multiple service providers, map multiple authentication policy contracts.

The Target Session Mapping configuration does not apply when the No Mapping option is selected on the Identity Mapping tab.

When target sessions are restricted to certain virtual server IDs, the allowed IDs are displayed under Virtual Server IDs.