IdP adapters are responsible for handling user authentication as part of an SSO operation. A configured adapter in PingFederate is known as an adapter instance.

In a basic scenario, you map an IdP adapter instance to an SP connection on the Authentication Source Mapping screen and complete its mapping configuration through a series of sub tasks. When a user starts an SSO request, the corresponding IdP adapter is triggered to authenticate the user. Upon successful authentication, PingFederate creates and sends an SSO token to the SP based on the connection settings. As needed, you can map multiple IdP adapter instances to an SP connection, the same IdP adapter instance to multiple SP connections, or a combination of them.

If you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can map the APC to your connection. Like IdP adapter instances, you may map multiple APCs to an SP connection (because your policies use multiple APCs), the same APC to multiple SP connections (because you want to reuse authentication policies on multiple connections), or a combination of them.


To learn more about authentication policies and contracts, see Authentication policies.

Furthermore, you can map one or more APCs to an SP connection to bridge a service provider to one or more identity providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this SP connection with the applicable IdP connections to the identity providers; each APC has its own set of attributes which you map values to the SSO tokens.


To learn more about federation hub, see Federation hub use cases.

Regardless of how many IdP adapter instances and APCs are mapped to an SP connection, PingFederate uses only one adapter instance or policy path to authenticate a user. (You have the option to leave the decision to the users or create authentication policies to mandate authentication requirements.) Because each adapter instance or APC may return different user attributes, each mapping must define how the attribute contract is fulfilled in its mapping configuration.

  • To map an IdP adapter instance, click Map New Adapter Instance.
  • To map an APC, click Map New Authentication Policy.
  • To edit the mapping configuration of an IdP adapter instance or APC, open it by clicking on its name, select the setting that you want to reconfigure, and complete the change.
  • To remove an IdP adapter or APC or cancel the removal request, click Delete (followed by Save) or Undelete.
  • If you are creating a new connection and you are finished with mapping the required authentication sources, click Done.
  • If you are editing an existing configuration and want to keep your changes, click Save.

When authentication sources (IdP adapter instances or connection mapping contracts) are restricted to certain virtual server IDs, the allowed IDs are displayed under Virtual Server IDs.