Password credential validators allow PingFederate administrators to define a centralized location for username/password validation, allowing validator instances to be referenced by various PingFederate configurations.

To implement a custom password credential validator, the following Java packages need to be imported:

  • org.sourceid.saml20.adapter.gui
  • org.sourceid.saml20.adapter.conf
  • org.sourceid.util.log
  • com.pingidentity.sdk
  • com.pingidentity.sdk.password

For each implementation, in addition to the methods described under Shared interfaces, you must define the following at a minimum:

AttributeMap processPasswordCredential(String username,
  String password)   
  throws PasswordValidationException

This method takes a username and password and verifies the credential against an external source. If the credentials are valid, then an AttributeMap is returned containing at least one entry representing the principal. If the credentials are invalid, then null or an empty map is returned. A PasswordValidationException is thrown if the plugin was unable to validate the credentials (for example, due to an offline host or network problems).

To enable change password in a password credential validator, implement the com.pingidentity.sdk.password.ChangeablePasswordCredential interface.

To enable password reset in a password credential validator, implement the com.pingidentity.sdk.password.ResettablePasswordCredential interface.


Depending on your password management system, additional system configuration may be necessary to enable password changes—for example, passwords can be changed in Active Directory only if SSL is enabled.