You can enable authentication involving credentials that do not reside in, or cannot
be forwarded to or validated by, the PingDirectory server (such
as social sign-on through Facebook, Google, or Twitter) with the
UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism.
The bind request does not include any credentials, and authentication with this mechanism does not actually change the state of the underlying client connection. The server behaves as if the bind request included the retain identity request control, whether or not that control was included.
Bind requests using this mechanism can include any request controls that are permitted with
other bind requests. If the externally-processed authentication is successful, the client
can include the
get password policy state issues request control in the
bind request to obtain information about any password policy state issues that might cause
the PingDirectory server authentication attempt to fail. You
can include the password policy request control to obtain certain password policy state
warnings and errors or to look for the password expired or password expiring controls in
the bind response.