Users created by delegated administrators can manage their own profiles through PingFederate. Additional configuration steps must be taken to enable users whom delegated administrators create to manage their own profiles through the PingFederate local identity profile-management feature.

This example assumes PingDirectory Server and PingFederate are configured for local identity profile management, following the PingFederate administrator documentation for Customer IAM. Specifically, the entryUUID attribute of the user record must be mapped to the subject of the local identity profile contract in PingFederate's Authentication Policies contract fulfillment.

  1. On PingFederate Server, copy the LDIF file local-identity-pingdirectory.ldif from the following location:
    <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif
  2. Use the command scopy to securely copy the LDIF file to your local machine.
  3. Update the LDAP schema, as follows:
    1. Log on to the PingDirectory Server Administrator Console.
    2. Click LDAP Schema > Schema Utilities.
    3. Click Import Schema Element.
    4. Copy the schema changes from the file <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif.
    5. Paste the schema changes into the text area.
      If you are creating a new organizational unit as part of the LDIF import, edit the DN information.
    6. Click Import.
  4. On PingDirectory Server, create a constructed attribute for pf-connected-identity (for example where the entryUUID is the PingFederate user ID attribute):
    $ bin/dsconfig create-constructed-attribute \
      --attribute-name pf-connected-identity \
      --set attribute-type:pf-connected-identity \
      --set value-pattern:auth-source=pf-local-identity:user-id={entryUUID}
After you finish installing Delegated Admin, make certain that you configure the REST resource type. For more information, see Configure user self-service.