Note:

User accounts to be linked must exist in the directory prior to establishing the account link. The Account Linking Service does not add users to the directory server but simply updates AccountLinkDataAttribute for a given user.

  1. On the System > Data Stores screen, create a new datastore to connect PingFederate to the database (see Configuring an LDAP connection).
  2. On the System > Data Stores screen, copy the system ID of the new accounting-linking datastore.
  3. Edit the hivemodule.xml file.
    The file is located in the <pf_install>/pingfederate/server/default/conf/META-INF directory.

    Locate the service-point for the Account Linking Service; for example:

    ...
    <!-- Service/adapter for storage of account linking -->
    <service-point id="AccountLinkingService" interface="org.sourceid.saml20.service.AccountLinkingService">
        <!--
                Supported classes are
                        org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl    : Use this service-point for a database implementation
                        org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl  : Use this service-point for an LDAP implementation
        -->
        <create-instance class="org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl"/>
    </service-point>
    ...

    Update the class value to org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl; for example:

    ...
    <!-- Service/adapter for storage of account linking -->
    <service-point id="AccountLinkingService" interface="org.sourceid.saml20.service.AccountLinkingService">
        ...
        <create-instance class="org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl"/>
    </service-point>
    ...
    Locate the Service-Point ID for AccountLinkingService and change the value of the create-instance class to:

    org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl

  4. Edit the org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl.xml file.

    The file is located in the <pf_install>/pingfederate/server/default/data/config-store directory. The default content of the file reads:

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
    
        <!-- Data store id -->
        <c:item name="PingFederateDSJNDIName"></c:item>
    
        <!-- LDAP search base -->
        <c:item name="UserSearchBase"></c:item>
    
        <!-- LDAP username attribute.  ex: sAMAccountName -->
        <c:item name="UsernameAttribute"></c:item>
    
        <!-- Attribute on user object to place Account Linking data -->
        <c:item name="AccountLinkDataAttribute"></c:item>
    
    </c:config>

    Insert applicable values between the XML tags as follows:

    Item name Element value
    PingFederateDSJNDIName The system ID of new account-linking datastore.
    UserSearchBase The location in the directory server from which the search begins.
    UsernameAttribute The attribute that represents the user identifier.
    AccountLinkDataAttribute The attribute to store account linking data.
    Note:

    The AccountLinkDataAttribute can be any multivalued string attribute on a user object class. We recommend that you extend the LDAP schema with a custom attribute for use here. See this article from Microsoft for further information on extending the Active Directory schema (msdn.microsoft.com/library/ms676900(v=VS.85).aspx).

  5. Start or restart PingFederate.
  6. If you are running PingFederate in a cluster, go to the System > Cluster Management screen and replicate this change to other runtime servers.
    Note:

    You must also manually apply the changes made in the hivemodule.xml file on each runtime server and then start or restart PingFederate on each runtime server.

  7. In the directory, create equality indexes on the LDAP attribute types you specified for the configuration properties UsernameAttribute and AccountLinkDataAttribute.
    For example, you would need to create equality indexes on sAMAccountName and AccountLink if you had specified the following in step 4:
    <!-- LDAP username attribute. ex: sAMAccountName -->
     <c:item name="UsernameAttribute">sAMAccountName</c:item>
    
    <!-- Attribute on user object to place Account Linking data -->
     <c:item name="AccountLinkDataAttribute">AccountLink</c:item>