PingFederate provides an authentication mechanism using plugin password credential validators (PCVs). This feature provides centralized credential validation for various PingFederate components and configurations.

For each instance of the HTML Form Adapter, the HTTP Basic Adapter, and the Username Token Processor, you can select the same PCV instance, a unique PCV instance, or multiple PCV instances. When you select multiple PCV instances for a given adapter or token processor instance, if the first PCV instance fails to authenticate a user, the PCV returns control to the adapter or the token processor. The adapter or the token processor then tries the next PCV instance. The cycle stops until a PCV instance succeeds or the last PCV instance also fails.

For OAuth clients using the Resource Owner Password Credentials grant type, you configure a grant-mapping configuration to fulfill the persistent grant contract using attribute value (or values) from the applicable PCV instance (or instances). Note that you can only create one grant-mapping configuration per applicable PCV instance.

Finally, if you want to manage OAuth client records using the OAuth Client Management Service or persistent grants using the OAuth Access Grant Management Service, you must select a PCV instance when configuring authorization server settings. When accessing these services, you must include in the requests valid credentials via HTTP Basic authentication scheme.

PingFederate is distributed with the following plugin PCVs.

LDAP Username Password Credential Validator
Validates credentials based on an LDAP look-up in an organization's user-datastore.
PingID PCV (with integrated RADIUS server)
Validates credentials from a VPN RADIUS client based on an LDAP look-up in an organization's user-datastore.
(For more information, see Integrate PingID with your VPN.)
PingOne Directory Password Credential Validator
Validates credentials stored in PingOne® Directory.
RADIUS Username Password Credential Validator
Validates credentials based on the RADIUS protocol on an organization's RADIUS server.
Simple Username Password Credential Validator
Validates credentials maintained by PingFederate.

You manage PCV instances on the System > Password Credential Validators screen.

  • To configure a new instance, click Create New Instance.
  • To modify an existing instance, select it by its name under Instance Name.
  • To review the usage of an existing instance, click Check Usage under Action.
  • To remove an existing instance or to cancel the removal request, click Delete or Undelete under Action.
  • To retain any configuration changes, click Save.
  • To discard any configuration changes, click Cancel.

Automatic multi-connection error checking occurs by default whenever you access this screen. The intent is to verify that configured connections have not been adversely affected by changes made here.

If you experience noticeable delays in accessing this page, you can optionally disable automatic connection validation on the System > Server > General Settings page.