PingFederate Server

Creating an LDAP Username Password Credential Validator instance

You can create an LDAP username password credential validator (PCV) in the PingFederate administrative console to create a second factor for multi-factor authentication (MFA).

About this task

Administrators must authenticate successfully against the first factor, such as a directory server where the administrator accounts, credentials and group memberships are stored. To fulfill this requirement, you need an LDAP connection from PingFederate to your directory server, and an instance of the LDAP Username Password Credential Validator.

Steps

  1. Go to System → Data & Credential Stores → Password Credential Validators. On the Password Credential Validators window, click Create New Instance.

  2. On the Type tab, from the Type list, select the LDAP Username Password Credential Validator and complete the Instance Name and Instance ID fields.

  3. On the Instance Configuration tab, from the LDAP datastore list, select the datastore and complete the Search Base and Search Filter fields.

    For more information about each field, see the following table.

    Field Description

    LDAP Datastore

    (Required)

    The LDAP datastore configured in PingFederate.

    If you have not configured the server to communicate with the LDAP directory server you need, click Manage Data Stores.

    There is no default selection.

    Search Base

    (Required)

    The location in the directory server where the search begins.

    This field has no default value.

    Search Filter

    (Required)

    The LDAP query to locate a user record.

    If your use case requires the flexibility of allowing users to identify themselves using different attributes, you can include these attributes in your query. For instance, the following search filter allows users to sign on using either the sAMAccountName or employeeNumber attribute value through the HTML Form Adapter:

    (|(sAMAccountName=$username)(employeeNumber=$username))

    This field has no default value.

    Scope of Search

    The level of search to be performed in the search base.

    One Level indicates a search of objects immediately subordinate to the base object, not including the base object itself. Subtree indicates a search of the base object and the entire subtree within the base object distinguished name.

    The default selection is Subtree.

    Case-Sensitive Matching

    The option to enable case-sensitive matching between the LDAP error messages returned from the directory server and the Match Expression values specified on this window.

    This check box is selected by default.

  4. On the Extended Contract tab, click Next to skip to the Summary tab.

  5. On the Summary tab, review the configuration, modify as needed, and then save the configuration.