Configuring a PingID Adapter instance (Windows login)
Configure a PingID Adapter instance when integrating PingID with Windows login through PingFederate.
About this task
-
PingID Adapter attributes that are used for offline authentication are not relevant when configuring a PingID Adapter instance for integration with Windows login because the Windows machine determines how to handle authentication requests when the user is offline.
-
(Optional) If you want to override the default application name or application icon that the user sees in the PingID mobile app when authenticating, do so in PingFederate. See Identify the target application.
Steps
-
In the PingFederate administrative console:
Choose from:
-
PingFederate 10.1 and later: Click Authentication, and select IdP Adapters.
-
PingFederate 10 and earlier: From Identity Provider in the INTEGRATION section, click Adapters.
-
-
On the IdP Adapter Instances window, click Create New Instance.
-
On the Type tab, enter the following information, and then click Next:
-
Instance Name: The Adapter name used to identify an adapter instance specific to Windows login (for example,
PingID Adapter for Windows Login Integration
). -
Instance ID: The adapter ID. This ID is for internal use and cannot contain spaces or non-alphanumeric characters.
-
Type: From the Type list, select the relevant PingID Adapter.
-
-
Download the Window and Mac login properties file.
-
On the IdP Adapter tab, in the PingID
Properties
field, click [.uicontrol] Choose File and go to the Windows and Mac login properties file that you downloaded. -
If you’re using LDAP to retrieve user information, click Show Advanced Fields, enter the information for the relevant fields, and then click Save.
-
These attributes are used for a variety of purposes, including pre-populating user details in the registration and backup authentication flows, policy groups, and user name mapping.
-
LDAP attribute fields are case sensitive.
-
LDAP Data Source (Optional): Select a configured LDAP data store.
-
Query Directory (Optional): The LDAP query for user information is done for every request. If this option isn’t enabled, the query is only made when a PingID user cookie is not found.
If this flag is not enabled, features that rely on LDAP information might not work correctly.
-
Base Domain: The location that is used to search for the user, including subgroups. This attribute is equivalent to the
Search Base
attribute in Active Directory, such asBase Domain: CN=Users,DC=domainname,DC=global
.The
Base Domain
path must include at least one group, as well as the DC. -
Filter: LDAP attribute used to find the LDAP entry for a specific user entity. If the PingID User Attribute is not defined, the attribute is also used to represent the username in PingID, such as
userPrincipalName=${username}
. -
LDAP Search Scope:
-
OBJECT_SCOPE: Limits the search to the base object.
-
ONELEVEL_SCOPE: Searches the immediate children of a base object, but excludes the base object itself.
-
SUBTREE_SCOPE (Default): Searches all child objects as well as the base object.
-
-
Fname Attribute: The attribute containing the user first name, such as
givenName
. -
Lname Attribute: The attribute containing the user last name, such as
sn
. -
PingID User Attribute: The LDAP attribute used to represent the username in PingID, such as
User Principal Name (UPN)
,sAMAccountName
orobjectGUID
. The value is taken from the user entity identified by the Filter attribute. If this field is blank, the Filter attribute is used.This attribute is available in PingID Adapter 2.8 and later.
-
Email Attribute: The attribute containing the user email address. For example,
mail
. This email address is used during registration if users need to receive a link on their mobile device to download the PingID application. -
Group Attribute: The LDAP attribute for group membership.
If you do not provide information for the Group attribute, you will not be able to implement group-based authentication policies for Windows login. -
Phone Attribute: The LDAP attribute of the phone number used for SMS messages as well as voice calls if Voice Number attribute is left empty.
This attribute must use the Google Library format, which dictates that all phone numbers must include ‘+’, as well as the international country code.
-
Yubikey Attribute: The LDAP attribute for YubiKey (for future use).
-
Secondary Email Attribute: A second email address that can be used to verify a user if they don’t have a device paired with PingID.
-
Voice Number Attribute: The LDAP attribute of the phone number used for voice calls. If left empty, the Phone Attribute is used for voice calls.
This attribute must use the Google Library format, which dictates that all phone numbers must include ‘+’, as well as the international country code.
-
State Attribute: This field is not applicable to Windows login and should be left blank.
-
PingID Heartbeat Timeout: (Optional) Specify how many seconds to wait for a response when verifying the PingID and PingOne services. If not specified, the default is 30 seconds. If set to 0, the system default is used.
-
Authentication During Errors: For integration with Windows login, therefore, select Bypass User, to accept the user’s first factor authentication, and allow Windows to manage offline authentication when the PingID multi-factor authentication (MFA) service is unavailable.
-
Users without a paired device: For integration with Windows login, select Bypass: When PingID services are unavailable, bypass the PingID MFA flow, and allow Windows to manage offline authentication when the PingID MFA service is unavailable, and the user does not have a paired device.
-
LDAP Data Source for Devices: This field is not applicable to Windows login and should be left blank.
-
Encryption Key for Devices: This field is not applicable to Windows login and should be left blank.
-
Distinguished Name Pattern: This field is not applicable to Windows login and should be left blank.
-
HTML Template: This field is not applicable to Windows login and should be left blank.
-
Cookie Duration: The duration of the cookie (in days) before it expires. The default value is 1 day.
-
PingID Properties File Name: Ensure the PingID Properties file is unique.
-
The PingID properties file name must be unique for each adapter instance. This value is automatically assigned during the adapter configuration process, but when you create a hierarchical adapter configuration it doesn’t reset automatically to a unique value.
-
Downloading the PingID for PingFederate properties file provides full permission to perform enrollment, device management, and authentication actions and should only be used with the necessary caution and the guidance of an administrator.
-
-
Keep cookies at sign-off: This field is not applicable to Windows login and should be left blank.
This option prevents a full clean up of the user trace on the machine after single logout (SLO) and might expose your user accounts to additional security risks. This option should only be used with full understanding of the security implications.
-
Refresh UserId Cookie: Refresh UserId cookie after a successful authentication. By default this option is unchecked.
-
Require PingID Registration: (Relevant only when using Integrate PingID withPingFederate properties file) If the checkbox is selected, users that do not have at least one device paired with their account are blocked until they successfully pair a device with their account.
Use of the PingID withPingFederate properties file is not recommended. However if you choose to use it, this option is required to maintain optimum security levels. For a more comprehensive list of properties files available see Managing the PingID properties file.
-
-
Optional: On the Extended Contract tab, to add attributes to the contract, for each attribute you want to add, in theExtend the Contract area, type the name of the attribute and click Add, and when finished, click Next.
For more information on using the Extended Contract tab, see Extend an IdP Adapter Contract.
-
On theAdapter Attributes tab in the Pseudonym column, select the checkbox for the subject attribute to be used as the expected identifier, then click Next.
On theAdapter Attributes tab you also have the option to mask attribute values in PingFederate log files. For more information, see Attribute masking.
-
On the Adapter Contract Mapping tab, click Configure Adapter Contract and then in the Adapter Contract Mapping window:
-
Click Next, and then in the Adapter Contract Fulfillment tab, for each contract attribute, select the relevant Source value with which to fulfill your adapter contract.
-
-
Click Next, and then in the Issuance Criteria tab, click Next.
-
In the Summary tab, verify the information is correct and then click Done.
-
In the Create Adapter Instance window, click Next, and then click Done
-
Click Save.
Result:
The new adapter instance is saved.