This plugin features a mandatory try-local-bind configuration property that enables one of the following modes of operation:

  • When try-local-bind is true, the plugin attempts to authenticate locally first. It sends a request to the PingOne for Customers service only if the local bind attempt fails.
  • When try-local-bind is false, the plugin attempts to authenticate with the PingOne for Customers service first.

The following table identifies and describes the configuration properties associated with the Pass-Through Authentication plugin for PingOne for Customers Service.

Property Description Required Default

api-url

URL that PingDirectory Server uses to communicate with the PingOne for Customers service.

Yes

N/A

auth-url

URL that PingDirectory Server uses to authenticate to the PingOne for Customers service.

Yes

N/A

oauth-client-id

OAuth client ID that PingDirectory Server uses to authenticate to the PingOne for Customers service.

Yes

N/A

oauth-client-secret

OAuth client secret that PingDirectory Server uses to authenticate to the PingOne for Customers service.

Yes

N/A

environment-id

Identifier for the PingOne for Customers environment that contains the users for whom pass-through authentication is attempted.

Yes

N/A

included-local-entry-base-dn

If this value is set, authentication attempts are passed to the PingOne for Customers service only for users in a specified DN.

If this value is set, only users who exist within a specified base DN allow their authentication attempts to be passed through to the PingOne for Customers service.

No

All public naming contexts (if not set)

connection-criteria

Reference to a connection criteria object to use to identify the bind requests to pass-through to the PingOne for Customers service based on the server's knowledge of the client expected to be the address, protocol, and security level.

If this property is defined, only client connections that match the criteria are included. If this property is not defined, all clients are included.

No

N/A

request-criteria

Reference to a request criteria object to use to identify the bind requests to pass through to the PingOne for Customers service, based on the contents of the request.

If this property is defined, only bind requests that match the criteria are included. If this property is not defined, all bind requests are included.

No

N/A

try-local-bind

Indicates whether PingDirectory Server tries to process the bind locally before forwarding the bind request to the PingOne for Customers service.

If this value is set to true and the bind succeeds locally, PingDirectory Server does not make a request to the PingOne for Customers service. If this value is set to false, PingDirectory Server ignores local credentials and attempts to authenticate only to the PingOne for Customers service.

Yes

True

override-local-password

Indicates whether PingDirectory Server attempts to bind to the PingOne for Customers service if the local account has a password.

This property is used if try-local-bind is true. If it has a value of false, the plugin attempts to authenticate to the PingOne for Customers service only if the local user account does not have a password.

If the local bind attempt fails while this value is set to true, the server tries to authenticate to the PingOne for Customers service even if the local account has a password.

Yes

True

update-local-password

Indicates whether PingDirectory Server attempts to set the password for the local user account, regardless of whether one is already set, when the local authentication attempt fails but the attempt to authenticate with the PingOne for Customers service succeeds.

This property is used only if try-local-bind is true.

If the on-premise PingDirectory Server is the authoritative source for passwords, set this property to false and configure PingDataSync Server to synchronize password changes from PingDirectory Server into the PingOne for Customers service. If the passwords differ, either the local password or the password for the PingOne for Customers service allows the user to authenticate.

If the PingOne for Customers service is the authoritative source for passwords, set this property to true. To ensure that a pass-through attempt to the PingOne for Customers service does not override local changes, make all password changes in the PingOne for Customers service.

Yes

False

allow-lax-pass-through-authentication-passwords

Indicates whether PingDirectory Server bypasses the normal password-validation process when setting the local password from the PingOne for Customers service. This property is used only when both try-local-bind and update-local-password are true.

If this value is true when a local bind attempt fails but the authentication attempt with the PingOne for Customers service succeeds, the user’s password is updated locally even if a local attempt to change the password to the same value is rejected because the password is considered too weak.

If this value is false, pass-through authentication succeeds if the authentication with PingOne for Customers service succeeds. However, the password for the PingOne for Customers service does not replace the local password.

Yes

True

ignored-password-policy-state-error-condition

Set of zero or more password policy state error conditions that are ignored for pass-through authentication.

For a list of values and their descriptions, see the following table.

No

N/A

user-mapping-local-attribute

Name of an LDAP attribute that is used to map local user entries to the corresponding PingOne for Customers account.

This property must include the same number of values as the user-mapping-remote-json-field property, and the order of their values is correlated. If multiple values are specified, all attributes must be present in the local entry, and the plugin performs an AND search in the PingOne for Customers service to locate the user account with all the values in the corresponding fields.

The entryDN attribute can be used to represent the DN of the local entry.

Yes

N/A

user-mapping-remote-json-field

The name of a PingOne for Customers field used to map local user entries to the corresponding PingOne for Customers account.

This property must include the same number and order of values as the user-mapping-local-attribute property.

Yes

N/A

additional-user-mapping-scim-filter

The System for Cross-domain Identity Management (SCIM) filter included in the search and used to identify the PingOne for Customers account that corresponds to the local user entry.

If a value is provided for this property, it is used with the SCIM filter that was created to map the local user entry to a PingOne for Customers account. If a value is not provided for this property, no additional filter is used.

No

N/A

The following table identifies the values to use with the optional configuration property ignored-password-policy-state-error-condition and describes the scenarios in which a user is permitted to bind when using pass-through authentication.

Property

Scenario in which a user can still bind
by using pass-through authentication

temporarily-locked-due-to-failures

The account is locked temporarily because of too many failed attempts.

permanently-locked-due-to-failures

The account is locked permanently because of too many failed attempts.

locked-due-to-idle-interval

The account is locked because the user has not authenticated recently.

locked-due-to-maximum-reset-age

The account is locked because an administrator recently reset the password, and the user failed to specify a new password within the allotted time frame.

password-is-expired

The password is expired.