PingFederate Server provides end users with the ability to self-service their own profiles. Additional configuration steps must be taken in both PingDirectory Server and PingFederate to enable users whom delegated administrators create to manage their own profiles through the PingFederate local identity profile-management feature.

Note: Import the Ping Federate ldif, first in PingDirectoryProxy Server and then in PingDirectory Server. Constructed attributes need to be created only in PingDirectoryProxy Server. Creating and rebuilding indexes (part of the self-service configuration) is done on PingDirectory Server.
Note: HTML custom files are stored in PingDirectoryProxy Server (proxy/webapps/delegator/app/customAttributes)
Note: The email template should be copied from the Degated Admin folder in PingDirectoryProxy Server to the Directory server

Email template should be copied from the DA folder in proxy to the PD server

this needs to be done before the dsconfig install file is run.

  1. Configure PingFederate for profile management.
    For example PingFederate configuration steps, see Customer IAM configuration. Setting up PingDirectory for customer identities in the PingFederate Administrator's Manual includes some of the following required steps on PingDirectory Server.
  2. Import the required additional LDAP schema provided by PingFederate into PingDirectory Server.
    1. On PingFederate Server, copy the LDIF file local-identity-pingdirectory.ldif from the following location: <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif.
    2. Use the scopy command to securely copy the LDIF file to your local machine.
  3. Update the LDAP schema.
    1. Log on to the PingDirectory Server Administrator Console.
    2. Go to LDAP Schema > Schema Utilities.
    3. Click Import Schema Element.
    4. Copy the schema changes from the file <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif.
    5. Paste the schema changes into the text area.
    6. Click Import.
  4. Create an equality index for the pf-connected-identity attribute.
    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name pf-connected-identity \
      --set index-type:equality
  5. After adding the index, use the rebuild-index utility to build the indexes. For instance, the following sample builds the required index.
    $ bin/rebuild-index \
      --baseDN "dc=example,dc=com" \
      --index pf-connected-identity
  6. Configure PingDirectory Server Composed Attributes.

    In previous versions of Delegated Admin, the remaining configuration was achieved by setting a constructed attribute on the user REST resource type. In the latest version, composed attribute plugins should be used instead as they provide the following advantages:

    • The populate-composed-attribute-values tool can be used to enable self-service for any existing users.
    • Self-service will be enabled for any users not created through the Delegated Admin app.

    Configure two Composed Attribute Plugins as follows:

    Note:

    <users-base-dn> and <users-object-class> must be replaced with the search base DN and structural object class of your REST Resource Type.

    $ bin/dsconfig create-plugin \
      --plugin-name pf-connected-identities \
      --type composed-attribute \
      --set enabled:true \
      --set attribute-type:objectClass \
      --set value-pattern:pf-connected-identities \
      --set target-attribute-exists-during-initial-population-behavior:merge-existing-and-composed-values \
      --set "include-base-dn:<users-base-dn>" \
      --set "include-filter:(objectClass=<users-object-class>)"
    
    $ bin/dsconfig create-plugin \
      --plugin-name pf-connected-identity \
      --type composed-attribute \
      --set enabled:true \
      --set attribute-type:pf-connected-identity \
      --set "value-pattern:auth-source=pf-local-identity:user-id={entryUUID}" \
      --set "include-base-dn:<users-base-dn>" \
      --set "include-filter:(objectClass=<users-object-class>)"

    If you configure composed attribute plugins as described after upgrading an existing deployment, then you should remove the old constructed attribute configuration as follows:

    $ bin/dsconfig set-rest-resource-type-prop --type-name users \
      --remove auxiliary-ldap-objectclass:pf-connected-identities \
      --remove post-create-constructed-attribute:pf-connected-identity \
      --remove update-constructed-attribute:pf-connected-identity
  7. Optional: To enable self-service for any existing users not already linked to PingFederate:
    $ bin/populate-composed-attribute-values -h <host> -p <port> -D "cn=Directory Manager" -w <password>