As a standalone server, PingFederate must be programmatically integrated with end-user applications and identity management (IdM) systems to complete the “first- and last-mile” implementation of a federated identity network for browser-based SSO. Documentation for integration kits is available on the Ping Identity website.

Note: See the PingFederate SSO Integration Overview for more information.

For an IdP (the first mile), this integration process involves providing a mechanism through which PingFederate can look up a user's current authenticated session data (for example, a cookie) or authenticate a user without such a session. For an SP, the last mile involves enabling PingFederate to supply information needed by the target application to set a valid session cookie or other application-specific security context for the user. To enable both sides of this integration, PingFederate provides bundled and separately available integration kits, which include adapters that plug into the PingFederate server and agent toolkits that interface with local IdM systems or applications, as needed. In addition, PingFederate provides plugin authentication selectors, which enable dynamic selection of authentication sources based on administrator-specified criteria.

PingFederate also includes a robust software development kit (SDK), which software developers can use to write their own adapters, data stores, and other components, for specific systems.

Bundled adapters

PingFederate comes bundled with a set of adapters.

Identifier First Adapter
When a variety of user types are authenticating at PingFederate, it is often better to ask the user for their identifier first, determine their user population, and prompt the user with the desired authentication requirements and experience. The Identifier First Adapter is designed to handle this use case. See Identifier First Adapter.
When a variety of user types are authenticating at PingFederate, it is often better to ask the user for their identifier first, determine their user population, and prompt the user with the desired authentication requirements and experience. The Identifier First Adapter is designed to handle this use case.
HTML Form Adapter
Used in conjunction with Password Credential Validators. These adapters provide integration with user-data stores in directory servers or locally. See HTML Form Adapter.
Kerberos Adapter
Provides a seamless desktop SSO experience for Windows environments and supports authentication mechanism assurance from Active Directory domain service. This adapter is recommended for new configurations as a simpler alternative to the separately available IWA Integration Kit. See Kerberos Adapter.
OpenToken Adapter
Provides a generic interface for integrating with various applications, including Java- and .NET-based applications. See OpenToken Adapter.
Composite Adapter
Allows multiple configured IdP adapters to execute in sequence. This capability, called adapter chaining, may be used either for single-adapter usage, depending on authentication context, or to support multifactor authentication via a series of adapters. See Composite Adapter.
HTTP Basic Adapter
Used in conjunction with Password Credential Validators. These adapters provide integration with user-data stores in directory servers or locally. See HTTP Basic Adapter.
PingID®
PingID is a cloud-based authentication service that binds user identities to their devices, making it an effective multifactor authentication solution. See PingID documentation.

Bundled authentication selectors

PingFederate provides plugin authentication selectors, which enable dynamic selection of authentication sources based on administrator-specified criteria. Along with the Composite Adapter and token authorization, the selectors enable dynamic integration with an organization's authentication or authorization policies (also known as adaptive federation).

Tip: The results of authentication-selection criteria evaluation can be used to select subsequent selectors or authentication sources, which allows handling of complex hierarchical access-policy decisions (see Authentication policies).
CIDR Authentication Selector
Provides a means of choosing authentication sources or other authentication sources at runtime based on whether an end-user's IP address falls within a specified range, or ranges (using Classless Inter-Domain Routing notation). This selector allows administrators to determine, for example, whether an SSO request originates inside or outside the corporate firewall and use different authentication integration accordingly. See Configuring the CIDR Authentication Selector.
Cluster Node Authentication Selector
Provides a means of picking authentication sources or other authentication sources at runtime based on the PingFederate cluster node that is servicing the request. For example, this selector allows you to choose whether or not Integrated Windows Authentication is attempted based on the PingFederate cluster node with which a Key Distribution Center is associated. See Configuring the Cluster Node Authentication Selector.
Connection Set Authentication Selector
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the target SP connection used in an SSO request and SP connections configured within PingFederate. For example, administrators with different requirements for SP connections can override connection adapter selection on an individual connection basis. See Configuring the Connection Set Authentication Selector.
Extended Property Authentication Selector
The Extended Property Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between a selector result value and an extended property value from the invoking browser-based SSO connections or OAuth client. See Configuring the Extended Property Authentication Selector.
HTTP Header Authentication Selector
Provides a means of choosing authentication sources or other authentication sources at runtime based on a match found (using wildcard expressions) in an HTTP header. This selector allows administrators to determine, for example, authentication behavior based on the type of browser. See Configuring the HTTP Header Authentication Selector.
HTTP Request Parameter Authentication Selector
Provides a means of selecting authentication sources or other authentication sources at runtime based on query parameter values in the HTTP request. See Configuring the HTTP Request Parameter Authentication Selector.
OAuth Client Set Authentication Selector
The OAuth Client Set Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on a match found between the client information in an OAuth request and the OAuth clients configured in the PingFederate OAuth authorization server (AS). This selector allows you to override client authentication selection on an individual client basis in one or more authentication policies. See Configuring the OAuth Client Set Authentication Selector.
OAuth Scope Authentication Selector
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS). For example, if a client requires write access to a resource, administrators can configure the selector to choose an adapter that offers a stronger form of authentication such as the X.509 client certificate rather than username and password. See Configuring the OAuth Scope Authentication Selector.
Requested AuthN Context Authentication Selector
Provides a means of picking authentication sources or other authentication sources at runtime based on the authentication context requested by an SP, for SP-initiated SSO. Configured authentication sources are mapped either to SAML-specified contexts or any ad-hoc context agreed upon between the IdP and SP partners. See Configuring the Requested AuthN Context Authentication Selector.
Session Authentication Selector
The Session Authentication Selector enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source.See Configuring the Session Authentication Selector.
Note:

Authentication selectors rely on HTTP requests, HTTP headers, POST data, or a combination of them. Ensure that standard security measures are in place when using these selectors.

Integration kits

Ping Identity regularly develops and maintains integration kits, including adapters, to work with applications and leading identity management systems. Available kits may be downloaded from the Ping Identity Downloads website. Additional authentication selectors may also be added to the download site periodically; contact sales@pingidentity.com if you are looking for specific authentication-selection capabilities.

Software development kit (SDK)

The PingFederate SDK provides a flexible means of creating custom adapters to integrate federated identity management into your system environment. See the PingFederate SDK Developer's Guide.