PingFederate leverages the HTML Form Adapter to deliver a secure and easy-to-use customer authentication, registration, and profile management solution. The HTML Form Adapter contract includes two core attributes: To illustrate the configuration steps, consider the following setup that you have already made:username and policy.action. At runtime, regardless of whether the local identity profile is configured with any authentication sources, if the user chooses to register directly by clicking on the Register now link, PingFederate sets the value to identity.registration. This fulfillment allows you to create rules to differentiate authentication requirements from the registration flow.

  • A PingDirectory installation with a set of users.
  • An LDAP datastore, an LDAP Username Password Credential Validator instance, and an HTML Form Adapter instance on PingFederate to validate credentials stored in PingDirectory.
  • An IdP authentication policy that chains the HTML Form Adapter instance, an PingID® Adapter instance, and an authentication policy contract for the purpose of enforcing PingID multifactor authentication in multiple browser-based SSO use cases via SP connections, OAuth authorization code flow, and OAuth implicit flow. The following screen capture illustrates your existing policy.

To illustrate the configuration steps, consider the following setup that you haveYou are now tasked to add support for a consumer registration use case similar to the one in Setting up self-service registration, and at the same time keep the policy that enforces the multifactor authentication requirement.

Configuration steps:

  1. Set up PingDirectory for customer identities.
  2. Make a note of which authentication policy contract is currently being used in your policy.
  3. Create a local identity profile using the Identity Provider > Identity Profiles configuration wizard.
    1. On the Profile Info screen, enter a name of the local identity profile, select the authentication policy (from step 2), and select the Enable Registration check box.
      If you want to enable profile management as well, select the relevant check box.

  4. Configure the HTML Form Adapter instance for customer identities.
    1. On the IdP Adapter screen, select a local identity profile from the Local Identity Profile list.
    2. Complete the rest of the configuration and save all changes.
  5. Modify your existing IdP authentication policy.
    1. Click Rules underneath the Complete the rest of the configuration to create the local identity profile.Success path of the HTML Form Adapter instance.
    2. On the Rules dialog, create a policy path for users who choose to register. For this sample use case, configure as follows:
      Attribute Name Condition Value Result
      policy.action equal to identity.registration Registration

      Complete the rest of the configuration to create the local identityThe Result field controls the label shown for the policy path of this rule.

      In addition, ensure the Default to Success check box is selected. When selected, the Success path remains, which is important for this sample use case where users are redirected to the PingID Adapter instance to fulfill the multifactor authentication requirement after authenticating successfully against the HTML Form Adapter.

      When finished, click Done, which brings you back to the Manage Authentication Policies screen.

    3. For the Registration path, select the local identity profile (from step 3) under Action and then complete its Local Identity Mapping configuration.
      The following screen capture illustrates your new policy:
    4. If you have enabled profile management in step 3, you must also replace the policy contract with the local identity profile and then complete its Local Identity Mapping configuration.
      This step is required so that PingFederate can route users through the HTML Form > PingID policy path when they try to access the profile management page.

      The following screen capture illustrates this change:

      Note:

      No reconfiguration is required in your Browser SSO connections and OAuth grant-mapping configuration for your new policy to take effect.

    5. Click Save to keep your changes.

You have now successfully added the requested consumer registration (and profile management) use case to your current policy.