Additional configuration steps must be taken in both PingDirectory and PingFederate to enable users whom delegated administrators create to manage their own profiles through the PingFederate local identity profile-management feature.

Note:

Import the Ping Federate LDIF first in PingDirectoryProxy and then in PingDirectory. Constructed attributes need to be created only in PingDirectoryProxy. Creating and rebuilding indexes (part of the self-service configuration) is done on PingDirectory.

  1. Configure PingFederate for profile management.

    To allow users to change their passwords, enable Allow Password Changes in the HTML Form Adapter. You must make this change if you want to create passwords that the user must change on the first use. For example PingFederate configuration steps, see Customer IAM configuration.

    Setting up PingDirectory for customer identities in the PingFederate Administrator's Manual includes some of the following required steps on the PingDirectory server.

  2. To create passwords that the user must change on the first use after account creation or a password reset, configure a PingDirectory password policy to force users to change their passwords.

    This policy requires that you enable Allow Password Changes as mentioned above.

    dsconfig set-password-policy-prop --policy-name "Default Password Policy" \
    --set force-change-on-add:true --set force-change-on-reset:true

    With these changes, when a user signs on to the PingFederate self-service page, the page prompts the user to change their password.

  3. Import the required additional LDAP schema provided by PingFederate into PingDirectory.
    1. On the PingFederate server, copy the LDIF file local-identity-pingdirectory.ldif from the following location: <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif.
    2. Use the scopy command to securely copy the LDIF file to your local machine.
  4. Update the LDAP schema.
    1. Sign on to the PingDirectory administrative console.
    2. Go to LDAP Schema > Schema Utilities.
    3. Click Import Schema Element.
    4. Copy the schema changes from the file <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif.
    5. Paste the schema changes into the text area.
    6. Click Import.
  5. Create an equality index for the pf-connected-identity attribute.
    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name pf-connected-identity \
      --set index-type:equality
  6. After adding the index, use the rebuild-index utility to build the indexes.

    For instance, the following sample builds the required index.

    $ bin/rebuild-index \
      --baseDN "dc=example,dc=com" \
      --index pf-connected-identity
  7. Configure PingDirectory Server Composed Attributes.

    In previous versions of Delegated Admin, the remaining configuration was achieved by setting a constructed attribute on the user REST resource type. In the latest version, composed attribute plugins should be used instead as they provide the following advantages:

    • The populate-composed-attribute-values tool can be used to enable self-service for any existing users.
    • Self-service is enabled for any users not created through the Delegated Admin app.

    Configure two Composed Attribute Plugins as follows:

    Note:

    <users-base-dn> and <users-object-class> must be replaced with the search base DN and structural object class of your REST Resource Type.

    $ bin/dsconfig create-plugin \
      --plugin-name pf-connected-identities \
      --type composed-attribute \
      --set enabled:true \
      --set attribute-type:objectClass \
      --set value-pattern:pf-connected-identities \
      --set target-attribute-exists-during-initial-population-behavior:merge-existing-and-composed-values \
      --set "include-base-dn:<users-base-dn>" \
      --set "include-filter:(objectClass=<users-object-class>)"
    
    $ bin/dsconfig create-plugin \
      --plugin-name pf-connected-identity \
      --type composed-attribute \
      --set enabled:true \
      --set attribute-type:pf-connected-identity \
      --set "value-pattern:auth-source=pf-local-identity:user-id={entryUUID}" \
      --set "include-base-dn:<users-base-dn>" \
      --set "include-filter:(objectClass=<users-object-class>)"

    If you configure composed attribute plugins as described after upgrading an existing deployment, then you should remove the old constructed attribute configuration as follows.

    $ bin/dsconfig set-rest-resource-type-prop --type-name users \
      --remove auxiliary-ldap-objectclass:pf-connected-identities \
      --remove post-create-constructed-attribute:pf-connected-identity \
      --remove update-constructed-attribute:pf-connected-identity
  8. Optional: Enable self-service for any existing users not already linked to PingFederate.
    $ bin/populate-composed-attribute-values -h <host> -p <port> -D "cn=Directory Manager" -w <password>