Configuring a Password Credential Validator instance - PingFederate - 10.0

PingFederate Server
bundle
pingfederate-100
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.0
category
Product
pf-100
pingfederate
ContentType_ce
  • Release Notes
  • PingFederate 10.0.15 - February 2023
  • PingFederate 10.0.14 - August 2022
  • PingFederate 10.0.13 - January 2022
  • PingFederate 10.0.12 - October 2021
  • PingFederate 10.0.11 - August 2021
  • PingFederate 10.0.10 - June 2021
  • PingFederate 10.0.9 - May 2021
  • PingFederate 10.0.8 - April 2021
  • PingFederate 10.0.7 - January 2021
  • PingFederate 10.0.6 - October 2020
  • PingFederate 10.0.5 - August 2020
  • PingFederate 10.0.4 - June 2020
  • PingFederate 10.0.3 - June 2020
  • PingFederate 10.0.2 - April 2020
  • PingFederate 10.0.1 - February 2020
  • PingFederate 10.0 - December 2019
  • Known issues and limitations
  • Deprecated features
  • Previous releases
  • Get Started with PingFederate
  • Introduction to PingFederate
  • About identity federation and SSO
  • Service providers and identity providers
  • Federation hub
  • Security token service
  • OAuth authorization server
  • User account management
  • Enterprise deployment architecture
  • Additional features
  • Supported standards
  • Federation roles
  • Terminology
  • Browser-based SSO
  • SAML 1.x profiles
  • SSO—Browser-POST
  • SSO—Browser-Artifact
  • SP-initiated (destination-first) SSO
  • SAML 2.0 profiles
  • Single sign-on
  • SP-initiated SSO—POST-POST
  • SP-initiated SSO—Redirect-POST
  • SP-initiated SSO—Artifact-POST
  • SP-initiated SSO—POST-Artifact
  • SP-initiated SSO—Redirect-Artifact
  • SP-initiated SSO—Artifact-Artifact
  • IdP-initiated SSO—POST
  • IdP-initiated SSO—Artifact
  • Single logout
  • Attribute Query and XASP
  • Standard IdP Discovery
  • WS-Federation
  • About account linking
  • Web services standards
  • Web Services Security
  • WS-Trust
  • Request types
  • OAuth 2.0 and PingFederate AS
  • Web redirect flow
  • Device authorization grant
  • CIBA grant
  • CIBA by poll
  • CIBA by ping
  • Assertion grant profile for OAuth 2.0 authorization grants
  • OpenID Connect support
  • Client management
  • System for Cross-domain Identity Management (SCIM)
  • Transport and message security
  • Installing PingFederate
  • Deployment options
  • System requirements
  • Database driver information
  • Port requirements
  • Installing Java
  • Installation options
  • Installing PingFederate on Windows
  • Installing PingFederate on Linux systems
  • Installing PingFederate as a service
  • Installing PingFederate service on Windows manually
  • Installing the PingFederate service on Linux manually
  • Uninstalling PingFederate
  • Uninstalling PingFederate from a Windows server
  • Uninstalling PingFederate from a Linux server
  • Starting and stopping PingFederate
  • Setup wizard
  • Connecting PingFederate to PingOne for Enterprise
  • Set up with PingOne for Enterprise
  • Connecting to a directory server
  • Configuring PingOne and PingID options
  • Configure PingOne SSO options
  • Configuring Kerberos authentication
  • Configuring provisioning to PingOne for Enterprise
  • Reviewing PingOne SSO options
  • Configure PingID VPN (RADIUS) options
  • Configuring basic settings
  • Configuring provisioning to PingID
  • Reviewing PingID VPN (RADIUS) options
  • Set up without PingOne for Enterprise
  • Importing your license
  • Selecting your federation roles
  • Configuring identity provider settings
  • Connecting to a directory
  • Configuring Kerberos authentication
  • Reviewing your identity provider configuration
  • Creating an administrator account
  • Entering basic information
  • Reviewing your configuration
  • Opening PingFederate administrative console
  • PingFederate administrative console
  • Tasks and steps
  • Console buttons
  • Supported hardware security modules
  • Integrating with AWS CloudHSM
  • AWS CloudHSM operational notes
  • Integrating with Gemalto SafeNet Luna Network HSM
  • SafeNet Luna Network HSM operational notes
  • Integrating with nCipher nShield Connect HSM
  • nShield Connect HSM operational notes
  • Administrator's Manual
  • Key concepts
  • Connection types
  • About WS-Trust STS
  • Connection-based policy
  • Token processors and generators
  • WSC and WSP support
  • STS OAuth integration
  • About OAuth
  • Delegated access types
  • Token models and management
  • Grant types
  • Scopes
  • Consent approval
  • Client management and storage
  • Client authentication schemes
  • Dynamic client registration
  • Persistent versus transient grants
  • Grant storage and management
  • Mapping OAuth attributes
  • OAuth user-facing screens
  • OpenID Connect
  • CORS support for OAuth endpoints
  • SSO integration kits and adapters
  • Security infrastructure
  • Digital signatures
  • Message signing
  • Certificate validation
  • Digital signing policy coordination
  • Secure sockets layer
  • Encryption
  • Hierarchical plugin configurations
  • Identity mapping
  • Account linking
  • Account mapping
  • User attributes
  • Attribute contracts
  • Adapter contracts
  • STS token contracts
  • Datastores
  • Attribute masking
  • About token authorization
  • User provisioning
  • Outbound provisioning for IdPs
  • Provisioning for SPs
  • Customer identity and access management
  • Federation hub use cases
  • Bridging an IdP to an SP
  • Bridging an IdP to multiple SPs
  • Bridging multiple IdPs to an SP
  • Bridging multiple IdPs to multiple SPs
  • Federation hub and authentication policy contracts
  • Federation hub and virtual server IDs
  • Federation planning checklist
  • Multiple virtual server IDs
  • Configuration data exchange
  • System settings
  • Server
  • Protocol settings
  • Choosing roles and protocols
  • Specifying federation information
  • Configuring WS-Trust settings
  • Configuring outbound provisioning settings
  • Configuring standard IdP Discovery
  • Reviewing protocol settings
  • Administrative accounts
  • Enabling native authentication
  • Managing local accounts and role assignments
  • Enabling notification messages for account management events
  • Setting or resetting passwords
  • Changing passwords
  • License management
  • Reviewing license information
  • Requesting a new license key
  • Installing a license key on a new or upgraded PingFederate server
  • Installing a replacement license key
  • Configuring notification for licensing events
  • Configuration archive
  • Configuring a backup schedule
  • Exporting an archive
  • Importing an archive
  • Cluster management
  • Replicating configuration
  • Virtual host names
  • Configuring virtual host names
  • Extended Properties
  • Defining extended properties
  • Metadata
  • Metadata settings
  • Entering system information
  • Configuring metadata signing
  • Configuring metadata lifetime
  • Reviewing metadata settings
  • Metadata export
  • Exporting connection-specific SAML metadata
  • Exporting selected SAML metadata
  • File signing
  • Signing XML files
  • Monitoring and notifications
  • Runtime notifications
  • Configuring runtime notifications
  • Runtime reporting
  • Configuring SNMP monitoring
  • Runtime monitoring using JMX
  • External systems
  • Connecting to PingOne for Enterprise after initial setup
  • Configuring identity repository settings
  • Managing PingOne for Enterprise settings
  • Configuring SSO from PingOne admin portal to PingFederate administrative console
  • Monitoring PingFederate from the PingOne admin portal
  • Updating the PingOne identity repository
  • Managing datastores
  • Adding a new datastore
  • Configuring a JDBC connection
  • Configuring an LDAP connection
  • Setting advanced LDAP options
  • Specifying LDAP binary attributes
  • Configuring proxied authorization
  • Configuring the account usability control ACI
  • Configuring the password validation details request control ACI
  • Defining a custom LDAP type for outbound provisioning
  • Configuring other types of data stores
  • Configuring a REST API datastore
  • Configuring a custom datastore
  • Defining a datastore for persistent authentication sessions
  • Configuring an external database for authentication sessions
  • Configuring PingDirectory for authentication sessions
  • Defining an OAuth grant datastore
  • Configuring an external database for grant storage
  • Configuring a directory for grant storage
  • Granting storage performance considerations
  • Using a custom solution for grant storage
  • Defining an OAuth client datastore
  • Configuring external databases for client storage
  • Configuring a directory for client storage
  • Client storage performance considerations
  • Using custom storage for OAuth clients
  • Defining an account-linking datastore
  • Configuring an external database server for account linking
  • Configuring a directory server for account linking
  • Managing Password Credential Validator instances
  • Choosing a Password Credential Validator
  • Configuring a Password Credential Validator instance
  • Configuring the LDAP Username Password Credential Validator
  • Configuring the PingOne Directory Password Credential Validator
  • Configuring the RADIUS Username Password Credential Validator
  • Configuring the Simple Username Password Credential Validator
  • Extending the contract for the credential validator
  • Finishing the Password Credential Validator instance configuration
  • Configuring Active Directory domains or Kerberos realms
  • Multiple-domain support
  • Configuring the Active Directory environment
  • Adding a domain
  • Managing domain connectivity settings
  • Managing CAPTCHA settings
  • Managing SMS provider settings
  • Managing notification publisher instances
  • Defining a notification publisher instance
  • Configuring a notification publishers instance
  • Configuring an Amazon SNS Notification Publisher instance
  • Event types and variables
  • Configuring an SMTP Notification Publisher instance
  • Finalizing actions for a notification publisher instance
  • Reviewing a notification publisher instance configuration
  • System administration
  • Configuring PingFederate properties
  • PingFederate log files
  • Log4j 2 logging service and configuration
  • HTTP request logging
  • Administrator audit logging
  • API audit logging
  • Administrative API audit log
  • Runtime APIs audit log
  • Runtime transaction logging
  • Security audit logging
  • Outbound provisioning audit logging
  • Server logging
  • Server log filter
  • Logging in other formats
  • Writing logs to databases
  • Logging in Common Event Format
  • Writing audit log in CEF
  • Writing provisioner audit log in CEF
  • Writing audit log for Splunk
  • Alternative console authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Multifactor console authentication using PingID
  • Solution overview
  • Configuring your PingID account
  • Creating an LDAP Username Password Credential Validator instance
  • Configuring a PingID Password Credential Validator instance
  • Configuring PingFederate to use RADIUS authentication
  • Verifying your setup
  • Enabling certificate-based authentication
  • Configuring automatic connection validation
  • Automating configuration migration
  • Copying the key from the source to the target server
  • Administrative console migration
  • Using the migration tool
  • Outbound provisioning CLI
  • Customizable user-facing screens
  • IdP user-facing pages
  • SP user-facing pages
  • Either IdP or SP user-facing pages
  • OAuth user-facing pages
  • Customizable email notifications
  • Local administrative account management events
  • Certificate events
  • SAML metadata update events
  • Licensing events
  • HTML Form Adapter events
  • Customizable text message
  • Localizing messages for end users
  • Locale overrides by cookies
  • Retrieval of localized messages
  • Configuring a password policy
  • Managing cipher suites
  • Managing externally stored authentication sessions
  • Managing authentication sessions stored in the database
  • Managing authentication sessions stored in PingDirectory
  • OAuth persistent grants cleanup
  • Managing expired persistent grants
  • Managing expired persistent grants in PingDirectory
  • Managing cleanup of persistent grants
  • Specifying the domain of the PF cookie
  • Specifying the domain of the PF.PERSISTENT cookie
  • Extending the lifetime of the PF cookie
  • Configuring forward proxy server settings
  • Adding custom HTTP response headers
  • Configuring validation for the AudienceRestriction element
  • Customizing the OpenID Provider configuration endpoint response
  • Customizing the heartbeat message
  • Customizing the favicon for application and protocol endpoints
  • Configuring the behavior of searching multiple datastores with one mapping
  • Security management
  • Certificate and key management
  • Managing trusted certificate authorities
  • Managing SSL server certificates
  • Managing SSL client keys and certificates
  • Managing digital signing certificates and decryption keys
  • Certificate rotation
  • Connection and federation metadata
  • Managing certificate rotation settings
  • Managed SP connection to PingOne for Enterprise and signing certificate
  • Managing keys for OAuth and OpenID Connect
  • Configuring static signing keys
  • Configuring static decryption keys
  • Managing certificates from partners
  • Configuring certificate revocation
  • Transitioning to an HSM
  • Managing Partner metadata URLs
  • Rotating system keys
  • System integration
  • Configuring redirect validation
  • Managing partner redirect validation
  • Configuring incoming proxy settings
  • Configuring service authentication
  • Account lockout protection
  • Configuring account lockout protection
  • Password spraying prevention
  • Configuring password spraying prevention
  • Implementing a MasterKeyEncryptor using AWS KMS
  • Authentication policies
  • Selectors
  • Managing authentication selector instances
  • Choosing a selector type
  • Configuring an authentication selector instance
  • Configuring the CIDR Authentication Selector
  • Configuring the Cluster Node Authentication Selector
  • Configuring the Connection Set Authentication Selector
  • Configuring the Extended Property Authentication Selector
  • Configuring the HTTP Header Authentication Selector
  • Configuring the HTTP Request Parameter Authentication Selector
  • Configuring the OAuth Client Set Authentication Selector
  • Configuring the OAuth Scope Authentication Selector
  • Configuring the Requested AuthN Context Authentication Selector
  • Configuring the Session Authentication Selector
  • Configuring a sample use case
  • Policies
  • Defining authentication policies
  • Specifying an incoming user ID
  • Configuring rules in authentication policies
  • Defining authentication policies based on group membership information
  • Applying policy contracts or identity profiles to authentication policies
  • Configuring contract mapping
  • Configuring local identity mapping
  • Defining issuance criteria for contract or local identity mapping
  • Mapping a policy contract to multiple use cases
  • SP authentication policies
  • Configuring an SP authentication policy for users from one IdP
  • Configuring SP authentication policies for users from multiple IdPs
  • Configuring SP authentication policies for internal users
  • Policy contracts
  • Managing policy contracts
  • Editing contract information
  • Defining contract attributes
  • Reviewing the policy contract
  • Adapter Mappings
  • Configuring authentication policy adapter mappings
  • Defining issuance criteria for adapter mapping
  • Sessions
  • Configuring tracking options for logout
  • Configuring application sessions
  • Configuring authentication sessions
  • OAuth configuration
  • Configuring OAuth use cases
  • Enabling the OAuth AS role
  • Configuring AS settings
  • External consent user interface
  • Scopes and scope management
  • Defining scopes
  • Configuring client settings
  • Configuring dynamic client registration settings
  • Supported client metadata
  • Configuring scope constraints
  • Managing client configuration defaults
  • Selecting client registration policies
  • Reviewing client settings
  • Managing Client Registration Policy instances
  • Configuring a Client Registration Policy instance
  • Configuring a Response Type Constraints instance
  • Managing OAuth clients
  • Configuring an OAuth client
  • Grant mapping
  • Managing IdP adapter grant mapping
  • Configuring IdP adapter attribute sources and user lookup
  • Fulfilling IdP adapter grant mapping
  • Defining issuance criteria for OAuth IdP adapter mapping
  • Reviewing the IdP adapter mapping
  • Configuring IdP connection grant mapping
  • Choosing an OAuth datastore
  • Fulfilling OAuth attribute mapping
  • Defining issuance criteria for OAuth attribute mapping
  • Reviewing the OAuth attribute mapping summary
  • Managing authentication policy contract grant mapping
  • Configuring policy contract attribute sources and user lookup
  • Fulfilling policy contract grant mapping
  • Defining issuance criteria for policy contract mapping
  • Reviewing authentication policy contract mapping
  • Managing resource owner credentials grant mapping
  • Configuring resource owner attribute sources and user lookup
  • Fulfilling resource owner credentials grant mapping
  • Defining issuance criteria for resource-owner credentials mapping
  • Reviewing the resource owner credentials mapping
  • Token mapping
  • Access token management
  • Managing access token management instances
  • Defining an access token management instance
  • Configuring an access token management instance
  • Configuring reference token management
  • Configuring JSON token management
  • Managing session validation settings
  • Defining the access token attribute contract
  • Managing resource URIs
  • Defining access control
  • Reviewing the access token management configuration
  • Managing access token mappings
  • Configuring access token attribute sources and user lookup
  • Configuring access token fulfillment
  • Defining issuance criteria for access token mapping
  • Reviewing the access token mapping
  • Configuring an OAuth assertion grant IdP connection
  • Defining an attribute contract for the OAuth assertion grant
  • Configuring access token manager mappings
  • Selecting an access token manager instance
  • Configuring a datastore for OAuth assertion grant attribute mapping
  • Configuring OAuth assertion grant contract fulfillment
  • Defining issuance criteria for OAuth assertion grant
  • Reviewing OAuth assertion grant attribute mapping configuration
  • Reviewing OAuth assertion grant configuration
  • Configuring OpenID Connect policies
  • Configuring policy and ID token settings
  • Configuring the policy attribute contract
  • Configuring attribute scopes
  • Configuring policy attribute sources and user lookup
  • Configuring ID token fulfillment
  • Defining issuance criteria for policy mapping
  • Reviewing your OpenID Connect policy
  • Client Initiated Backchannel Authentication (CIBA)
  • Managing CIBA authenticators
  • Configuring a CIBA authenticator instance
  • Managing CIBA request policies
  • Defining a request policy
  • Configuring identity hint contract
  • Configuring identity hint contract fulfillment
  • Configuring attribute sources and user lookup
  • Fulfilling identity hint contract
  • Defining issuance criteria for identity hint contract
  • Reviewing identity hint contract fulfillment
  • Configuring attribute sources and user lookup for request policy contract
  • Configuring request policy contract fulfillment
  • Defining issuance criteria for CIBA request policy
  • Reviewing your CIBA request policy
  • OAuth attribute mapping using a datastore
  • OAuth client session management
  • Asynchronous Front-Channel Logout
  • Back-Channel Session Revocation
  • OAuth token exchange
  • Configuring OAuth token exchange
  • Defining token exchange processor policies
  • Creating token exchange generator groups
  • Mapping token exchange attributes to token generator attributes
  • Mapping token exchange attributes to access token manager attributes
  • Enabling token exchange in OAuth clients
  • Identity provider SSO configuration
  • IdP application integration settings
  • Managing IdP adapters
  • Creating an IdP adapter instance
  • Configuring an IdP adapter instance
  • Invoking IdP adapter actions
  • Extending an IdP adapter contract
  • Setting pseudonym and masking options
  • Defining the IdP adapter contract
  • Defining attribute sources and user lookup
  • Configuring IdP adapter contract fulfillment
  • Defining issuance criteria for IdP adapter contract
  • Reviewing an IdP adapter contract
  • Reviewing and save an IdP adapter configuration
  • Authentication API
  • Managing authentication applications
  • Configuring an authentication application
  • Exploring authentication API
  • Configuring a default URL and error message
  • Viewing IdP application endpoints
  • Viewing IdP protocol endpoints
  • Managing SP connections
  • Accessing SP connections
  • Resolving SP connection errors
  • Importing a connection
  • Updating a SAML connection using metadata
  • Choosing an SP connection template
  • Choosing an SP connection type
  • Choosing SP connection options
  • Importing SP metadata
  • Identifying the SP
  • Populating extended property values
  • Configure IdP Browser SSO
  • Choosing SAML 2.0 profiles
  • Setting an SSO token lifetime
  • Configuring SSO token creation
  • Choosing an identity mapping method
  • Selecting a SAML Name ID type
  • Selecting a WS-Federation Name ID type
  • Setting up an attribute contract
  • Managing authentication source mappings
  • Selecting an authentication source
  • Overriding an IdP adapter instance
  • Restricting an authentication source to certain virtual server IDs
  • Selecting an attribute mapping method
  • Configuring attribute sources and user lookup
  • Configuring contract fulfillment for IdP Browser SSO
  • Configuring default contract fulfillment for IdP Browser SSO
  • Defining issuance criteria for IdP Browser SSO
  • Reviewing the authentication source mapping
  • Reviewing the SSO token creation summary
  • Configuring protocol settings
  • Setting Assertion Consumer Service URLs (SAML)
  • Setting a default target URL (SAML 1.x)
  • Specifying the WS-Trust version
  • Defining a service URL (WS-Federation)
  • Specifying SLO service URLs (SAML 2.0)
  • Choosing allowable SAML bindings (SAML 2.0)
  • Setting an artifact lifetime (SAML)
  • Specifying artifact resolver locations (SAML 2.0)
  • Defining signature policy (SAML)
  • Configuring XML encryption policy (SAML 2.0)
  • Reviewing protocol settings
  • Reviewing browser-based SSO settings
  • Configuring the Attribute Query profile
  • Defining retrievable attributes
  • Configuring attribute lookup
  • Choosing a datastore for Attribute Query
  • Configuring contract fulfillment for Attribute Query
  • Defining issuance criteria for Attribute Query
  • Specifying security policy
  • Reviewing the Attribute Query configuration
  • Configuring credentials
  • Configuring back-channel authentication (SAML)
  • Configuring authentication requirements for outbound messages
  • Configuring authentication requirements for inbound messages
  • Configuring digital signature settings
  • Configuring signature verification settings (SAML 2.0)
  • Selecting an encryption certificate
  • Selecting a decryption key (SAML 2.0)
  • Reviewing credential settings
  • Configuring outbound provisioning
  • Defining a provisioning target
  • Specifying custom SCIM attributes
  • Managing channels
  • Specifying channel information
  • Identifying the source datastore
  • Modifying source settings
  • Specifying a source location
  • Mapping attributes
  • Specifying mapping details
  • Reviewing channel settings
  • Reviewing SP connection settings
  • SP affiliations
  • Managing SP affiliations
  • Importing affiliation metadata
  • Entering affiliation information
  • Managing affiliation membership
  • Reviewing an SP affiliation
  • Customer IAM configuration
  • Setting up PingDirectory for customer identities
  • Managing local identity profiles
  • Defining a local identity profile
  • Defining authentication sources
  • Defining local identity fields
  • Configuring a local identity field
  • Configuring email ownership verification options
  • Configuring registration options
  • Configuring profile management options
  • Managing datastore configuration
  • Selecting a datastore for customer identities
  • Configuring LDAP base DN and attributes
  • Configuring LDAP relative DN and object class
  • Defining datastore mapping configuration
  • Reviewing datastore configuration
  • Reviewing a local identity profile
  • Configuring the HTML Form Adapter for customer identities
  • Setting up self-service registration
  • Enabling third-party identity providers
  • Enabling profile management
  • Creating advanced registration mapping
  • Enabling third-party identity providers without registration
  • Service provider SSO configuration
  • SP application integration settings
  • Managing SP adapters
  • Creating an SP adapter instance
  • Configuring an SP adapter instance
  • Invoking SP adapter actions
  • Extending an SP adapter contract
  • Identifying the target application
  • Reviewing an SP adapter configuration
  • Configuring target URL mapping
  • Configuring Identity Store Provisioners
  • Creating an Identity Store Provisioner instance
  • Defining the Identity Store Provisioner behavior
  • Extending the Identity Store Provisioner contract
  • Extending the Identity Store Provisioner contract for groups
  • Reviewing the Identity Store Provisioner configuration
  • Configuring default URLs
  • Viewing SP application endpoints
  • Federation settings
  • Managing attribute requester mappings
  • View SP protocol endpoints
  • Managing IdP connections
  • Accessing IdP connections
  • Resolving IdP connection errors
  • Choosing an IdP connection type
  • Choosing IdP connection options
  • Importing IdP metadata
  • Identifying the partner
  • Populating extended property values
  • Defining additional issuers
  • Configure SP Browser SSO
  • Selecting SAML profiles
  • Configuring user-session creation
  • Choosing an identity mapping method
  • Defining an attribute contract
  • Managing target session mappings
  • Selecting a target session
  • Overriding an SP adapter instance
  • Restricting a target session to certain virtual server IDs
  • Choosing an attribute mapping method
  • Configuring target session fulfillment
  • Defining issuance criteria for SP Browser SSO
  • Reviewing the target session mapping
  • Reviewing the session creation summary
  • Managing protocol settings
  • Specifying SSO service URLs (SAML)
  • Specifying a service URL (WS-Federation)
  • Defining SLO service URLs (SAML 2.0)
  • Selecting allowable SAML bindings (SAML)
  • Specifying an artifact lifetime (SAML 2.0)
  • Defining artifact resolver locations (SAML)
  • Configuring OpenID Provider information
  • Configuring default target URLs
  • Overriding authentication context in an IdP connection
  • Configuring signature policy
  • Specifying XML encryption policy (for SAML 2.0)
  • Reviewing protocol settings
  • Reviewing Browser SSO settings
  • Manage Attribute Query profile
  • Setting the Attribute Authority Service URL
  • Mapping attribute names for Attribute Query
  • Configuring security policy for Attribute Query
  • Reviewing the Attribute Query settings
  • Configuring just-in-time provisioning
  • Selecting attribute sources (SAML 2.0)
  • Identifying the user repository
  • Specifying an LDAP user-record location
  • Entering an LDAP filter
  • Identifying provisioning attributes for LDAP
  • Choosing a SQL method
  • Specifying a database user-record location
  • Specifying a unique-ID database column
  • Specifying a stored-procedure location
  • Mapping attributes to a user account
  • Choosing an event trigger
  • Configuring an error handling method
  • Reviewing the JIT provisioning configuration
  • Configuring SCIM inbound provisioning
  • Specifying the user repository
  • Identifying an LDAP user-record location
  • Defining a unique ID
  • Defining a unique group ID
  • Defining custom SCIM attributes
  • Configuring custom SCIM attribute options
  • Writing user information to the datastore
  • Identifying inbound provisioning attributes for LDAP
  • Mapping attributes to user accounts
  • Reviewing user mapping (Write Users) configuration
  • Configuring a SCIM response
  • Identifying expected user attributes for the SCIM response
  • Identifying LDAP attributes for the SCIM response
  • Mapping attributes into the SCIM response
  • Reviewing SCIM response (Read Users) configuration
  • Configuring the handling of SCIM delete requests
  • Writing group information to the datastore
  • Identifying inbound provisioning group attributes for LDAP
  • Mapping attributes to groups
  • Reviewing group mapping (Write Groups) configuration
  • Configuring a SCIM response for groups
  • Identifying expected group attributes for the SCIM response
  • Identifying LDAP group attributes for the SCIM response
  • Mapping group attributes into SCIM response
  • Reviewing SCIM response for groups (Read Groups) configuration
  • Reviewing the inbound provisioning configuration
  • Configuring security credentials
  • Managing back-channel authentication
  • Configuring back-channel authentication for outbound messages
  • Configuring back-channel authentication for inbound messages
  • Managing digital signature settings
  • Managing signature verification settings
  • Choosing an encryption certificate (SAML 2.0)
  • Choosing a decryption key (SAML 2.0)
  • Reviewing credential settings
  • Reviewing an IdP connection
  • OpenID Connect Relying Party support
  • Creating an OpenID Connect IdP connection
  • Configuring request parameters and SSO URLs
  • Query parameters versus request object
  • Configuring IdP discovery using a persistent cookie
  • WS-Trust STS configuration
  • Server settings
  • Enabling the WS-Trust protocol
  • Configuring STS authentication
  • Identity provider STS configuration
  • Managing token processors
  • Selecting a token processor type
  • Configuring a token processor instance
  • Configuring a Username Token Processor instance
  • Configuring a Kerberos Token Processor instance
  • Configuring an OAuth Token Processor instance
  • Configuring a JSON Web Token Processor instance
  • Configuring a SAML Token Processor instance
  • Extending a token processor contract
  • Setting attribute masking
  • Reviewing the token processor configuration
  • Managing STS request parameters
  • Creating a request contract
  • Configuring SP connections for STS
  • Configuring protocol settings for IdP STS
  • Setting a token lifetime
  • Configuring token creation
  • Defining an attribute contract for IdP STS
  • Selecting a request contract
  • Managing IdP token processor mappings
  • Selecting a token processor instance
  • Overriding a token processor instance
  • Restricting a token processor to certain virtual server IDs
  • Selecting an attribute retrieval method for token creation
  • Configuring attribute sources and user lookup for token creation
  • Configuring contract fulfillment for token creation
  • Defining issuance criteria for token creation
  • Reviewing the IdP token processor mapping
  • Selecting a request error handling method
  • Reviewing the token creation configuration
  • Reviewing the IdP STS settings
  • Service provider STS configuration
  • Managing token generators
  • Selecting a token generator type
  • Configuring a token generator instance
  • Extending a token generator contract
  • Reviewing the token generator configuration
  • Configuring IdP connections for STS
  • Configuring protocol settings for SP STS
  • Configuring token generation
  • Defining an attribute contract for SP STS
  • Managing SP token generator mappings
  • Selecting a token generator instance
  • Overriding a token generator instance
  • Restricting a token generator to certain virtual server IDs
  • Selecting an attribute retrieval method for token generation
  • Configuring contract fulfillment for token generation
  • Defining issuance criteria for token generation
  • Reviewing the SP token generator mapping
  • Reviewing the token generation configuration
  • Reviewing the SP STS configuration
  • IdP-to-SP bridging
  • Adapter-to-adapter mappings
  • Managing mappings
  • Assigning a license group
  • Identifying the target application
  • Configuring attribute lookup for adapter-to-adapter mapping
  • Configuring contract fulfillment for adapter-to-adapter mapping
  • Configuring a default target URL (optional)
  • Defining issuance criteria for adapter-to-adapter mapping
  • Reviewing the adapter-to-adapter mapping
  • Token translator mappings
  • Managing token mappings
  • Configuring attribute lookup for token mapping
  • Configuring contract fulfillment for token exchange mapping
  • Defining issuance criteria for token translator mapping
  • Reviewing the token exchange mapping
  • Bundled adapters
  • Identifier First Adapter
  • Configuring an Identifier First Adapter instance
  • Identifier First Adapter and authentication policies
  • Configuring a policy for multiple user populations
  • HTML Form Adapter
  • Configuring an HTML Form Adapter instance
  • HTML Form Adapter advanced fields
  • Kerberos Adapter
  • Authentication mechanism assurance
  • Configuring a Kerberos Adapter instance for SSO authentication
  • Configuring end-user browsers
  • Configuring Microsoft Internet Explorer
  • Configuring Mozilla Firefox
  • OpenToken Adapter
  • Configuring an OpenToken IdP Adapter instance
  • Configuring an OpenToken SP Adapter instance
  • Composite Adapter
  • Configuring a Composite Adapter instance
  • HTTP Basic Adapter
  • Configuring an HTTP Basic Adapter instance
  • Self-service user account management
  • Configuring self-service password management
  • Configuring self-service account recovery
  • Configuring self-service user name recovery
  • Application endpoints
  • IdP endpoints
  • SP endpoints
  • SP services
  • SCIM inbound provisioning endpoints
  • System-services endpoints
  • Constructing an alternative metadata exchange endpoint
  • OAuth 2.0 endpoints
  • Authorization endpoint
  • Client-initiated backchannel authentication endpoint
  • Token endpoint
  • OAuth grant type parameters
  • Introspection endpoint
  • Token revocation endpoint
  • Grant-management endpoint
  • Dynamic client registration endpoint
  • Device authorization endpoint
  • User authorization endpoint
  • OpenID Provider configuration endpoint
  • UserInfo endpoint
  • Web service interfaces and APIs
  • Connection Management Service
  • Exporting a connection
  • Importing connections
  • Deleting connections
  • Cluster configuration replication
  • Validation disclaimer
  • SSO Directory Service
  • Coding example
  • SOAP request and response examples
  • OAuth Client Management Service
  • OAuth Access Grant Management Service
  • OAuth Persistent Grant Management API
  • Session Revocation API endpoint
  • PingFederate administrative API
  • Configure access to the administrative API
  • Enabling native authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Enabling certificate-based authentication
  • Accessing the API interactive documentation
  • Attribute mapping expressions
  • Enabling and disabling expressions
  • Construct OGNL expressions
  • Sample OGNL expressions
  • Issuance criteria and multiple virtual server IDs
  • Expressions for OAuth and OpenID Connect uses cases
  • Using the OGNL edit screen
  • Customizing assertions and authentication requests
  • Message types and available variables
  • Sample customizations
  • Fulfillment by datastore queries
  • Attribute mapping with multiple data sources
  • Datastore query configuration
  • Choosing a datastore
  • Specifying database table and columns
  • Entering a database search filter
  • Specifying directory properties and attributes
  • Defining encoding for binary attributes
  • Entering a directory search filter
  • Specifying data source filter and fields
  • Specifying a resource path for a REST API datastore
  • Specifying a dynamic authorization header for a REST API datastore
  • Specifying filters and fields for a custom datastore
  • Configuring failsafe options
  • Reviewing datastore query configuration
  • Troubleshooting
  • Enabling debug messages and console logging
  • Resolving startup issues
  • Troubleshooting datastore issues
  • Resolving URL-related errors
  • Resolving service-related errors
  • Troubleshooting authentication policy issues
  • Troubleshooting registration and profile management issues
  • Troubleshooting runtime errors
  • Activating tracking ID in templates
  • Correlating log messages by PF cookie
  • Correlating log messages by tracking ID
  • Troubleshooting OAuth transactions
  • Reviewing an OAuth request and various OAuth settings
  • Other runtime issues
  • Collecting support data
  • List of acronyms
  • Server Clustering Guide
  • Overview of clustering
  • Cluster protocol architecture
  • Runtime state-management architectures
  • Adaptive clustering
  • Multi-region support
  • Configuring multi-region support
  • Directed clustering
  • Sharing all nodes
  • Designating state servers
  • Defining subclusters
  • Runtime state-management services
  • Inter-Request State-Management (IRSM) Service
  • IdP Session Registry Service
  • SP Session Registry Service
  • LRU memory management schemes
  • Assertion Replay Prevention Service
  • Artifact-Message Persistence and Retrieval Service
  • Back-Channel Session Revocation Service
  • Account Locking Service
  • Other services
  • Deploying cluster servers
  • Enabling dynamic discovery for clustering
  • Deploying provisioning failover
  • Configuration synchronization
  • Console configuration push
  • Configuration-archive deployment
  • SSO Integration Overview
  • Integration introduction
  • SSO integration concepts
  • Identity provider integration
  • Service provider integration
  • Bundled adapters and integration kits for deployment scenarios
  • SDK Developer's Guide
  • Preface
  • SDK introduction
  • Getting started with the SDK
  • Directory structure
  • Developing your own plugin
  • Implementation guidelines
  • Shared interfaces
  • Configurable plugin
  • Describable plugin
  • Implementing an IdP adapter
  • IdP adapter session lookup
  • Processing steps
  • IdP adapter session logout
  • Implementing an SP adapter
  • SP session creation
  • SP adapter session logout
  • SP account linking
  • Implementing a token processor
  • Implementing a token generator
  • Implementing an authentication selector
  • Context selection
  • Authentication selector callback
  • Implementing a custom data source
  • Implementing a password credential validator
  • Implementing an identity store provisioner
  • Implementing the IdentityStoreProvisionerWithFiltering interface
  • Implementing the IdentityStoreUserProvisioner interface
  • Building and deploying your project
  • Building and deploying with Ant
  • Building and deploying manually
  • Creating deployment descriptors
  • Building your project manually
  • Deploying your project
  • Logging
  • Upgrade Guide
  • Upgrade considerations
  • Upgrade considerations introduced in PingFederate 8.x
  • Upgrade considerations introduced in PingFederate 7.x
  • Upgrade considerations introduced in PingFederate 6.x
  • Updating to the latest maintenance release
  • Upgrading PingFederate on Windows using the installer
  • Upgrading PingFederate on Windows using the Upgrade Utility
  • Upgrading PingFederate on Linux systems
  • Custom mode
  • Reviewing post-upgrade tasks
  • Copying customized files or settings
  • Reviewing database changes
  • Reviewing log configuration
  • Upgrading from PingFederate 8.x, 9.x, or 10.x
  • Upgrading from PingFederate 6.x or 7.x
  • Migrating other components
  • Updating the custom authentication selector
  • Migrating to the integrated LDAP Username PCV
  • Migrating to the integrated Username Token Processor
  • Resetting files and variable for HSM
  • Verifying the new installation
  • Performance Tuning Guide
  • Logging
  • Operating system tuning
  • Linux tuning
  • Windows tuning
  • Concurrency
  • Tuning the acceptor queue size
  • Tuning the server thread pool
  • Configuring connection pools to datastores
  • Memory
  • JVM heap
  • Garbage collectors
  • Young generation bias
  • The memoryoptions utility
  • memoryoptions and installation
  • memoryoptions and upgrade
  • Fine-tuning JVM options
  • Hardware security modules
  • Configuration at scale
  • References
  • PingFederate Monitoring Guide
  • Liveliness and responsiveness
  • Resource metrics
  • Connecting with JMX
  • Connecting to a local process
  • Connecting to a remote process
  • Monitoring
  • Thread pool
  • Logging, reporting, and troubleshooting
  • Creating an error-only server log
  • Splunk dashboards and audit logs
  • Legal Information
Page created: 12 Sep 2019 |
Page updated: 3 Jun 2020
| 1 min read

PingFederate 10.0 Product Configuration User task Product documentation Content Type Administrator Audience Software Deployment Method

The instance configuration of a Password Credential Validator (PCV) varies depending on the credential validators deployed on your server. For PCVs bundled with PingFederate, refer to one of the following topics:

  • Configuring the LDAP Username Password Credential Validator
  • Configuring the PingOne Directory Password Credential Validator
  • Configuring the RADIUS Username Password Credential Validator
  • Configuring the Simple Username Password Credential Validator
Related links
  • https://docs.pingidentity.com/bundle/pingid/page/rgo1564020462618.html
Back to home page