PingFederate leverages the HTML Form Adapter to deliver a secure and easy-to-use customer authentication, registration, and profile management solution. A typical self-service registration setup involves five components:

  • A PingDirectory installation (step 1)
  • An authentication policy contract (step 2)
  • A local identity profile (step 3)
  • An HTML Form Adapter instance (step 4)
  • An IdP authentication policy (step 5)

To illustrate the configuration steps, consider the following example:

You are tasked to support a consumer registration use case, where users can complete a self-service registration process to create their accounts and then access resources protected by multiple service providers. For a registration to complete successfully, a user must provide an email address, a first name, a last name, an optional mobile phone number, and a password. The email address is the user identifier. All attributes are sent to the service providers as per the partner agreements. You have already created a specific object class in the directory to store the user information. The object class name is aPerson, and the LDAP attributes are mail, givenName, sn, and mobile.

Configuration steps:

  1. Install PingDirectory, update its LDAP schema, set up the required index, and then create an LDAP datastore and an LDAP Username Password Credential Validator instance in PingFederate.
    (For more information, see Setting up PingDirectory for customer identities.)
  2. Create an authentication policy contract using the Identity Provider > Policy Contract configuration wizard. Extend the authentication policy contract with three additional attributes; for example, firstName, lastName and mobileNumber.
    (For more information, see Managing policy contracts.)
  3. Create a local identity profile using the Identity Provider > Identity Profiles configuration wizard.
    1. On the Profile Info screen, enter a name of the local identity profile, select the authentication policy (from step 2), and select the Enable Registration check box.
    2. On the Authentication Sources screen, click Next.
    3. On the Fields screen, define four local identity fields, as follows:
      Type ID Label Parameters
      Email lipEmail Email address Select the Required and Unique ID Field check boxes.
      Text lipFirstName First name Select the Required check box.
      Text lipLastName Last name Select the Required check box.
      Phone lipMobile Mobile number No parameters are required.

      As needed, select the Mask Log Values check box for any of the four local identity fields and the Mask all OGNL-expression generated log values check box. (The latter applies to all local identity fields.)

    4. On the Email Verification screen, click Next.
    5. On the Registration screen, click Next.
    6. On the Data Store Configuration screen, click Configure Data Store.
    7. On the Data Store Configuration > Data Store screen, select the LDAP datastore that has been set up to connect to your PingDirectory.
    8. On the Data Store Configuration > LDAP Configuration screen, specify the branch of your directory hierarchy where you want PingFederate to store customer identities in the Base DN field and the LDAP attributes to be associated with fields defined in this local identity profile under Attribute.
    9. On the Data Store Configuration > Identity Creation screen, define the RDN pattern in the Relative DN Pattern field and select your object class (aPerson for this sample use case) from the Object Class list.

      The pattern is:

      attribute1=value1[, ..., attributeN=valueN]

      If you want to use the ${entryUUID} variable to guarantee the uniqueness of the relative DNs for all users, you must use it with the entryUUID LDAP attribute; for example:

      entryUUID=${entryUUID}

    10. On the Data Store Configuration > Data Store Mapping screen, configure the mapping between the local identity profile fields and the datastore attributes as follows:
      Field Data Store Attribute
      lipEmail mail
      lipFirstName givenName
      lipLastName sn
      lipMobile mobile
    11. On the Data Store Configuration > Summary screen, click Done.
    12. On the Summary screen of the local identity profile, click Save.
    (For more information, see Defining a local identity profile.)
  4. Configure an HTML Form Adapter instance for customer identities.
    1. Go to the Identity Provider Adapters screen.
    2. Create a new HTML Form Adapter instance or reuse an existing instance by clicking its name.
    3. On the IdP Adapter screen, add the LDAP Username Password Credential Validator instance that has been set up to validate credentials stored on your PingDirectory.
    4. On the IdP Adapter screen, select the newly created local identity profile from the Local Identity Profile list.
    5. Complete the rest of the configuration and save all changes.
    (For more information, see Configuring the HTML Form Adapter for customer identities.)
  5. Create an IdP authentication policy.
    1. Go to the IdP Providers > Policies screen.
    2. Select the HTML Form Adapter instance (configured in step 4) under Action.
      1. For its Fail path, select Done.
      2. For its Success path, select the local identity profile (created in step 3).
    3. Click Local Identity Mapping underneath the selected local identity profile, which opens the Inbound Mapping & Contract Fulfillment configuration wizard.
    4. On the Inbound Mapping & Contract Fulfillment > Inbound Mapping screen, configure the pf.local.identity.unique.id built-in local identity field for the registration process.
      At runtime, PingFederate fulfills the value of the pf.local.identity.unique.id built-in local identity field based on this configuration and passes the value to PingDirectory. PingDirectory uses this value to determine whether such identity has already been created. The pf.local.identity.unique.id field value should therefore be mapped from the subject identifier of the preceding authentication source, namely the username attribute from the HTML Form Adapter.

      For this sample use case, configure the Inbound Mapping screen as follows:

      Inbound Mapping Fulfillment Source Value
      pf.local.identity.unique.id Adapter username
    5. On the Inbound Mapping & Contract Fulfillment > Attribute Sources & User Lookup screen, click Next.
    6. On the Inbound Mapping & Contract Fulfillment > Contract Fulfillment screen, fulfill the authentication policy contract with values from this local identity profile as follows:

      Outbound Contract Fulfillment

      Source

      Value

      subject

      Local Identity

      lipEmail

      firstName

      Local Identity

      lipFirstName

      lastName

      Local Identity

      lipLastName

      mobileNumber

      Local Identity

      lipMobile
    7. On the Inbound Mapping & Contract Fulfillment > Issuance Criteria screen, click Next.
    8. On the Inbound Mapping & Contract Fulfillment > Summary screen, click Done.
      The Inbound Mapping & Contract Fulfillment configuration wizard brings back the Manage Authentication Policies screen.
    9. Select the IdP Authentication Policies check box.
      Note:

      Other IdP authentication policies (if any) are enabled as well.

    10. Click Save to keep your changes.
    (For more information, see Applying policy contracts or identity profiles to authentication policies.)
  6. Map the authentication policy contract to the applicable Browser SSO connections, OAuth grant-mapping configuration, or both (see Managing authentication source mappings and Managing authentication policy contract grant mapping).

You have now successfully set up self-service registration. When users sign on through this HTML Form Adapter instance, they have the option to complete a self-service registration process to create their accounts using the Register now link, as illustrated in the following screen capture:

A sample sign-on page

If a user chooses to register, the HTML Form Adapter redirects the user to the registration page. Based on the configuration of this sample use case, the following registration page is presented:

A sample registration page