PingFederate Server

Migrating other components

Some custom and integrated components might require additional steps after upgrading PingFederate.

Updating the custom authentication selector

Through the use of the PingFederate SDK, you can create a custom authentication selector by implementing the AuthenticationSelector interface.

Most implementations return AuthenticationSelectorContext.ResultType.CONTEXT as the result type, which requires no further action after an upgrade.

If your implementation returns either:

  • AuthenticationSelectorContext.ResultType.ADAPTER_ID, an Identity Provider (IdP) adapter instance ID

  • AuthenticationSelectorContext.ResultType.IDP_CONN_ID, the connection ID of an IdP connection

You must update the descriptor instance of your custom authentication selector to call the setSelectAuthnSourceResultType method with an input of true. For each authentication policy path that ends with an instance of such custom authentication selector, you must ensure that its action is set to Done.

For more information, see the Javadoc for the AuthenticationSelector interface and the AuthenticationSelectorDescriptor class.

The Javadoc for PingFederate is located in the <pf_install>/pingfederate/sdk/doc directory.

Migrating to the integrated LDAP Username PCV

About this task

As of PingFederate 7.3, the integrated LDAP Username Password Credential Validator (PCV) can return additional attribute values upon successful validation.

If you have previously deployed the LDAPExtendedAttributesPCV-<version>.jar file from the PingID integration kit and created an instance of the LDAP PCV with Extended Attributes, migrate to the integrated LDAP Username PCV.

Steps

  1. Create an instance of the integrated LDAP Username PCV:

    1. Go to System → Data & Credential Stores → Password Credential Validators and click Create New Instance.

    2. On the Type tab, enter the required information and select LDAP Username Password Credential Validator from the list.

    3. On the Instance Configuration tab, select an LDAP datastore from the list, enter a search base and a search filter, and select the scope of the search.

      You can reuse the information from the existing LDAP PCV with Extended Attributes instance.

    4. On the Extended Contract tab, enter memberOf in the Extend the Contract section, and click Add.

    5. On the Summary tab, review the setup and click Done.

    6. On the Manage Credential Validator Instances page, click Save.

  2. In the configuration where the LDAP PCV with Extended Attributes instance is used, replace it with the newly created LDAP Username Password Credential Validator instance.

    For example, if you have created an instance of the PingID PCV (with integrated RADIUS server) instance and have selected an instance of the LDAP PCV with Extended Attributes as one of the delegate PCVs, remove the selection and add the newly created LDAP Username Password Credential Validator instance to the list.

  3. After replacing the LDAP PCV with Extended Attributes instance, delete it from the Password Credential Validators page.

  4. Remove the <pf_install>/pingfederate/server/default/deploy/LDAPExtendedAttributesPCV-<version>.jar file on all PingFederate servers.

  5. Restart PingFederate on all PingFederate servers.

Migrating to the integrated Username Token Processor

About this task

As of PingFederate 7.2, the Username Token Translator has been deprecated and replaced with an integrated Username Token Processor. Although the integrated Username Token Processor and the deprecated Username Token Translator can be simultaneously deployed, you should migrate it to the new token processor.

Steps

  1. Go to Identity Provider → Token Processors.

  2. To create an instance of the integrated Username Token Processor, click Create New Instance.

    1. On the Type page, select Username Token Processor from the list.

      If you have multiple WS-Trust STS SP connections, you can reuse the same Username Token Processor instance or create additional instances of the token processors as needed.

  3. Map the new token processor instance to the applicable WS-Trust STS SP connection on the IdP Token Processor Mapping page.

    Repeat this step if you have multiple WS-Trust STS SP connections.

  4. Test your WS-Trust STS SP connections using the instance of the integrated Username Token Processor.

  5. Remove the token processor instance of the deprecated Username Token Translator from all WS-Trust STS SP connections on the IdP Token Processor Mapping page.

  6. If you have set up token translator mappings, create new entries to replace those using instances of the deprecated Username Token Translator, test the new mapping entries, and delete the entries that use instances of the deprecated Username Token Translator.

  7. Delete all token processor instances of the deprecated Username Token Translator on the Identity Provider → Token Processors page.

  8. Remove the pf-username-token-translator-<version>.jar file from the <pf_install>/pingfederate/server/default/deploy directory on all PingFederate servers.

  9. Restart PingFederate on all PingFederate servers.