1. Click Identity Provider > Adapters to open the Manage IdP Adapter Instances screen.
  2. On the Manage IdP Adapter Instances screen, click Create New Instance to start the Create Adapter Instance configuration wizard.
  3. On the Type screen, configure the basics of this adapter instance.
    1. Enter the required information and select the adapter type from the list.
    2. Optional: Select a Parent Instance from the list.
      This is useful when you are creating an instance that is similar to an existing instance. The child instance inherits the configuration of its parent. In addition, you have the option to override one or more settings during the rest of the setup. Select the Override ... check box and make the adjustments as needed in one or more subsequent screens.
  4. On the IdP Adapter screen, configure your Identifier First Adapter instance.
    For more information about each field, refer to the following table.
    Field
    Identifier Cookie Lifetime Determines the number of days that previously authenticated identifiers are preserved as a cookie on the client side. This value can range from 0 through 3650.

    Set to 0 to disable the storage of any previously authenticated identifiers.

    The default value is 30.

    Allow Cancelling Identifier Selection Determines whether a user is allowed to continue without entering or selecting an identifier.

    If allowed, when a user decides to continue without providing an identifier, the Identifier First Adapter treats the authentication attempt as a failure and returns control to PingFederate.

    This check box is not selected by default.

    Click Show Advanced Fields to review the following settings. Modify as needed.

    Maximum Identifiers Count Determines the maximum number of previously authenticated identifiers can be preserved in the identifier cookie. This value can range from 0 through 10.

    Set to 0 to disable the storage of any previously authenticated identifiers.

    The default value is 5.

    Identifier Selection Template The HTML template to prompt the user to enter or select an identifier. PingFederate allows each configured adapter instance to use a different template as needed.

    The default template file is identifier.first.template.html.

    Like other Velocity template files, it is located in the <pf_install>/pingfederate/server/default/conf/template directory.

  5. On the Extended Contract screen, configure additional attributes for this adapter instance as needed.
    The Identifier First Adapter contract includes two core attributes: subject and domain.

    If the identifier is an email address, the adapter extracts the email address suffix and exposes it downstream through the domain attribute. As needed, the adapter can leverage datastore queries to fulfill the domain attribute (see step 7).

  6. On the Adapter Attributes screen, configure the pseudonym and masking options.
    Note:

    The Override Attributes check box in this screen reflects the status of the override option in the Extended Contract screen.

    1. Select the check box under Pseudonym for the user identifier of the adapter and optionally for the other attributes, if available.
      This selection is used if any of your SP partners use pseudonyms for account linking.
      Note:

      A selection is required regardless of whether you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user (for example, email) to prevent the same pseudonym from being assigned to multiple users.

    2. Select the check box under Mask Log Values for any attributes that you want PingFederate to mask their values in its logs at runtime.
    3. Select the Mask all OGNL-expression generated log values check box, if OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked
  7. Optional: On the Adapter Contract Mapping screen, configure the adapter contract for this instance with the following optional workflows:
    • Configure one or more data sources for datastore queries.
    • Fulfill adapter contract with values from the adapter (the default), datastore queries (if configured), context of the request, text, or expressions (if enabled).
    • Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract.
  8. On the Summary screen, review your configuration, modify as needed, and click Done to exit the Create Adapter Instance workflow.
  9. On the Manage IdP Adapter Instances screen, click Save to retain the configuration of the adapter instance.
    If you want to exit without saving the configuration, click Cancel.