Although PingDataSync Server supports bidirectional synchronization between PingDirectory Server and the PingOne for Customers service, it can propagate password changes from the PingOne for Customers service into PingDirectory Server only when using the Pass-Through Authentication plugin for PingOne for Customers Service.

This plugin features a mandatory try-local-bind configuration property that enables one of the following modes of operation:

  • When try-local-bind is true, the plugin attempts to authenticate locally first. It sends a request to the PingOne for Customers service only if the local bind attempt fails.
  • When try-local-bind is false, the plugin attempts to authenticate with the PingOne for Customers service first.

The following table identifies and describes the configuration properties associated with the Pass-Through Authentication plugin for PingOne for Customers Service.

Property Description Required Default
api-url URL that PingDirectory Server uses when communicating with the PingOne for Customers service. Yes NA
auth-url URL that PingDirectory Server uses to authenticate to the PingOne for Customers service. Yes NA
oauth-client-id OAuth client ID that PingDirectory Server uses to authenticate to the PingOne for Customers service. Yes NA
oauth-client-secret OAuth client secret that PingDirectory Server uses to authenticate to the PingOne for Customers service. Yes NA
environment-id Identifier for the PingOne for Customers environment that contains the users for whom pass-through authentication is attempted. Yes NA
included-local-entry-base-dn Set of base DNs for local user entries for whom pass-through authentication might be attempted.

If this value is set, only users who exist below a specified base DN allow their authentication attempts to be passed through to the PingOne for Customers service.

No All public naming contexts (if not set)
connection-criteria Reference to a connection criteria object that can be used to identify the bind requests to pass through to the PingOne for Customers service, based on the server's knowledge of the client (predominantly expected to be the address, protocol, and security level).

If this property is defined, only client connections that match the criteria are included. If this property is not defined, all clients are included.

No NA
request-criteria Reference to a request criteria object that can be used to identify the bind requests to pass through to the PingOne for Customers service, based on the contents of the request.

If this property is defined, only bind requests that match the criteria are included. If this property is not defined, all bind requests are included.

No NA
try-local-bind Indicates whether PingDirectory Server tries to process the bind locally before forwarding the bind request to the PingOne for Customers service.

If this value is set to true and the bind succeeds locally, PingDirectory Server does not make a request to the PingOne for Customers service. If this value is set to false, PingDirectory Server ignores local credentials and attempts to authenticate only to the PingOne for Customers service.

Yes True
override-local-password Indicates whether PingDirectory Server attempts to bind to the PingOne for Customers service if the local account has a password.

This property is used if try-local-bind is true. If it has a value of false, the plugin attempts to authenticate to the PingOne for Customers service only if the local user account does not have a password.

If the local bind attempt fails while this value is set to true, the server tries to authenticate to the PingOne for Customers service even if the local account has a password.

Yes True
update-local-password Indicates whether PingDirectory Server attempts to set the password for the local user account, regardless of whether one is already set, if the local authentication attempt fails but the attempt to authenticate with the PingOne for Customers service succeeds.

This property is used only if try-local-bind is true.

If the on-premise PingDirectory Server is the authoritative source for passwords, set this property to false and configure PingDataSync Server to synchronize password changes from PingDirectory Server into the PingOne for Customers service. If the passwords differ, either the local password or the password for the PingOne for Customers service allows the user to authenticate.

If the PingOne for Customers service is the authoritative source for passwords, set this property to true. To ensure that a pass-through attempt to the PingOne for Customers service does not override local changes, make all password changes in the PingOne for Customers service.

Yes False
allow-lax-pass-through-authentication-passwords Indicates whether PingDirectory Server bypasses the normal password-validation process when setting the local password from the PingOne for Customers service. This property is used only when both try-local-bind and update-local-password are true.

If this value is true when a local bind attempt fails but the authentication attempt with the PingOne for Customers service succeeds, the user’s password is updated locally even if a local attempt to change the password to the same value would be rejected because the password is considered too weak.

If this value is false, pass-through authentication succeeds if the authentication with PingOne for Customers service succeeds. However, the password for the PingOne for Customers service does not replace the local password.

Yes True
ignored-password-policy-state-error-condition Set of zero or more password policy state error conditions that are ignored for pass-through authentication.

For a list of values and their descriptions, see the following table.

No NA
user-mapping-local-attribute Name of an LDAP attribute that is used to map local user entries to the corresponding PingOne for Customers account.

This property must include the same number of values as the user-mapping-remote-json-field property, and the order of their values is correlated. If multiple values are specified, all attributes must be present in the local entry, and the plugin performs an AND search in the PingOne for Customers service to locate the user account with all the values in the corresponding fields.

The entryDN attribute can be used to represent the DN of the local entry.

Yes NA
user-mapping-remote-json-field The name of a PingOne for Customers field that is used to map local user entries to the corresponding PingOne for Customers account.

This property must include the same number and order of values as the user-mapping-local-attribute property.

Yes NA
additional-user-mapping-scim-filter SCIM filter that is included in the search and is used to identify the PingOne for Customers account that corresponds to the local user entry.

If a value is provided for this property, it is ANDed with the SCIM filter that was created to map the local user entry to a PingOne for Customers account. If a value is not provided for this property, no additional filter is used.

No NA

The following table identifies the values that can be used with the optional configuration property ignored-password-policy-state-error-condition, and describes the scenarios in which a user is still permitted to bind by using pass-through authentication.

Property

Scenario in which a user can still bind
by using pass-through authentication

temporarily-locked-due-to-failures The account is locked temporarily because of too many failed attempts.
permanently-locked-due-to-failures The account is locked permanently because of too many failed attempts.
locked-due-to-idle-interval The account is locked because the user has not authenticated recently.
locked-due-to-maximum-reset-age The account is locked because an administrator recently reset the password, and the user failed to specify a new password within the allotted time frame.
password-is-expired The password is expired.