An overview of creating and configuring a Kerberos Adapter instance to integrate PingFederate with Windows clients. Create and configure an instance of the Kerberos Adapter for Windows clients to authenticate using single sign-on.
- Click Manage IdP Adapter Instances screen. to open the
- On the Manage IdP Adapter Instances screen, click Create New Instance to start the Create Adapter Instance configuration wizard.
On the Type screen, configure the basics of this
- Enter the required information and select the adapter type from the list.
Select a Parent
Instance from the list.
This is useful when you are creating an instance that is similar to an existing instance. The child instance inherits the configuration of its parent. In addition, you have the option to override one or more settings during the rest of the setup. Select the Override ... check box and make the adjustments as needed in one or more subsequent screens.
On the IdP Adapter screen, configure your Kerberos
Refer to the on-screen field descriptions and the following table for more information.
Field Description Domain/Realm Name
Select your Windows domain.
If the domain or realm you want does not appear, click Manage Active Directory Domains/Kerberos Realms to add it (see Configuring Active Directory domains or Kerberos realms).
Error URL Redirect Enter a URL for redirecting the user if there are errors. This URL has an errorMessage query parameter appended to it, which contains a brief description of the error that occurred. The error page can optionally display this message on the screen to provide guidance on remedying the problem.Note:
In the case of an error, if you define an Error URL Redirect and the adapter instance is included in an instance of the Composite Adapter, the user is redirected to the configured error URL rather than continuing on to the next adapter in the chain. Leave this field blank to have the adapter continue on to the next adapter.
When employing the errorMessage query parameter in a custom error page, adhere to Web-application security best practices to guard against common content injection vulnerabilities. If no URL is specified, the appropriate default error landing page appears.
Click Show Advanced Fields to review the following settings. Modify as needed.
Error Template When selected, displays a template to provide standardized information to the end user when authentication fails. The Error URL Redirect value is ignored.
The template (
kerberos.error.template.htmlin the <pf_install>/pingfederate/server/default/conf/template directory) uses the Velocity template engine and can be modified in a text editor to suit your particular branding and informational needs. For example, you can give the user the option to try again should authentication fail.
Authentication Context Value This may be any value agreed to with your SP partner to indicate the type of credentials used to authenticate. Standard URIs are defined in the SAML specifications (see the OASIS documents oasis-sstc-saml-core-1.1.pdf and saml-authn-context-2.0-os.pdf).If left blank, PingFederate sets the authentication context as follows:
urn:oasis:names:tc:SAML:1.0:am:unspecifiedfor SAML 1.x
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedfor SAML 2.0
As needed, the authentication context can be overridden by either an instance of the Requested AuthN Context Authentication Selector or the SAML_AUTHN_CTX attribute in the SAML attribute contract. (The latter takes precedence.)
On the Extended Contract screen, configure additional
attributes for this adapter instance as needed.
The Kerberos Adapter contract includes three core attributes: Domain/Realm Name, SIDs, and Username.
On the Adapter Attributes screen, configure the
pseudonym and masking options.
The Override Attributes check box in this screen reflects the status of the override option in the Extended Contract screen.
Select the check box under Pseudonym for the
user identifier of the adapter and optionally for the other
attributes, if available.
This selection is used if any of your SP partners use pseudonyms for account linking.Note:
A selection is required regardless of whether you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user (for example, email) to prevent the same pseudonym from being assigned to multiple users.
- Select the check box under Mask Log Values for any attributes that you want PingFederate to mask their values in its logs at runtime.
- Select the Mask all OGNL-expression generated log values check box, if OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked
- Select the check box under Pseudonym for the user identifier of the adapter and optionally for the other attributes, if available.
On the Adapter Contract Mapping screen, configure
the adapter contract for this instance with the following optional
- Configure one or more data sources for datastore queries.
- Fulfill adapter contract with values from the adapter (the default), datastore queries (if configured), context of the request, text, or expressions (if enabled).
- Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract.
- On the Summary screen, review your configuration, modify as needed, and click Done to exit the Create Adapter Instance workflow.
On the Manage IdP Adapter Instances screen, click
Save to retain the configuration of the adapter
If you want to exit without saving the configuration, click Cancel.