PingFederate Server

Configuring local identity mapping

You can configure your local identity mapping in the PingFederate administrative console.

Steps

  1. On the Inbound Mapping tab, configure the attribute mappings for registration and profile management.

    At runtime, PingFederate fulfills the value of the pf.local.identity.unique.id built-in local identity field based on this configuration and passes the value to PingDirectory. PingDirectory uses this value to determine whether such identity has already been created. The pf.local.identity.unique.id field value should therefore be mapped from the subject identifier of the preceding authentication source. You can also map other local identity fields so that PingFederate can streamline the registration process by pre-populating values on the registration page.

    This configuration overrides the default field values configured within the local identity profile. For more information, see Configure a local identity field.

    This tab does not apply and stays hidden if your use case does not involve registration and profile management. See Enabling third-party identity providers without registration.

  2. Optional: On the Attribute Sources & User Lookup tab, click Add Attribute Source to configure datastore queries.

  3. On the Contract Fulfillment tab, fulfill the authentication policy contract associated with the selected local identity profile.

    If the selected closed-ended path contains more than one authentication source, you have access to attributes obtained successfully from the previous authentication sources along the same path.

    For example, select your local identity profile in the Source column and the desired local identity field in the Value column.

    If your use case doesn’t involve registration or profile management, the source of fulfillment is limited to:

    • The preceding identity provider (IdP) connection or IdP adapter instance

    • Dynamic text

    • Attribute mapping expressions, if enabled

    • Tracked HTTP request parameters, if configured

    • Request context

    • Extended properties, if configured on the Extended Properties window

  4. Optional: On the Issuance Criteria tab, configure conditions to be validated before issuing an authentication policy contract.

  5. On the Summary tab, review your configuration, modify as needed, and then click Done.

  6. On the Policy window, continue with the rest of your policy configuration.