Property Description
Login Template

(Required)

The HTML template to prompt the users for their credentials. PingFederate allows each configured adapter instance to use a different login page template.

The default template file is html.form.login.template.html.

(Unless otherwise stated, all template files are located in the <pf_install>/pingfederate/server/default/conf/template directory.)

Logout Path Any path in the format indicated. Setting a path invokes adapter logout functionality that is normally invoked during SAML 2.0 single-logout (SLO) processing. The resulting logout path is /ext/<Logout Path> . The logout path extends from the base URL. If virtual host names are configured, the logout path is accessible at those locations as well.

Available primarily for use cases where the partner SaaS providers who do not support SAML SLO but want the users' IdP SSO sessions to end after logging out of the SaaS services. For these use cases, the SaaS providers could redirect the users to the logout URL after the users log out of their platforms.

Note:

If specified, the path must be unique across all HTML Form Adapter instances, including child instances.

This field has no default value.

Logout Redirect The landing page at the SP after successful IdP logout (applicable only when the Logout Path field is configured).

This field has no default value.

Logout Template The HTML template to be displayed when a user has successfully logged out in a configuration where the Logout Path field is configured but the Logout Redirect field is not.

The default template file is idp.logout.success.page.template.html.

Change Password Template The HTML template to prompt the users to change their password. PingFederate allows each configured adapter instance to use a different change password template.

The default template file is html.form.change.password.template.html.

Change Password Message Template The HTML template to be displayed when a user has successfully changed the password through the HTML Form Adapter.

The default template file is html.form.message.template.html.

Password Management System Message Template The HTML template to notify the users that they are being redirected to a password management system to change their password.

The default template file is also html.form.message.template.html.

Change Password Email Template The HTML email template PingFederate uses to generate the email message to notify the user that the password has been changed or reset successfully through the HTML Form Adapter.

The default template file is message-template-end-user-password-change.html, located in the <pf_install>/pingfederate/server/default/conf/template/mail-notifications directory.

Applicable only if an instance of the SMTP Notification Publisher is selected from the Notification Publisher list.

Expiring Password Warning Template The HTML template to warn the users about approaching the password expiry day.

The default template file is html.form.password.expiring.notification.template.html.

Threshold for Expiring Password Warning The threshold (in days) to start warning the user about approaching the password expiry day.

The default value is 7 (days).

Snooze Interval for Expiring Password Warning The amount of time (in hours) to delay the next warning after the user has chosen to change the password later.

The default value is 24 (hours).

Login Challenge Template The HTML template to be displayed as the second step during a strong authentication. It is used to prompt the user to answer a challenge question after the first-factor login. The RADIUS Username Password Credential Validator is an example of where it could be used.

The default template file is html.form.login.challenge.template.html.

'Remember My Username' Lifetime The number of days the cookie remains valid. Enter the number of days you want the username remembered in a cookie.

The cookie lifetime is reset upon each successful login in which the Remember my username check box on the login form is selected.

Note:

The value is ignored when users authenticate through a Composite Adapter instance that chains this adapter behind another authentication source with an Input User ID Mapping configuration and the Allow Username Edits check box is not selected.

You may enter an integer between 1 and 3650.

The default value is 30 (days).

'This is My Device' Lifetime The number of days that a user's selection of the This is my device check box on the login form is retained.

The lifetime is reset upon each successful login in which the This is my device check box on the login form is selected.

You may enter an integer between 1 and 3650.

The default value is 30 (days).

Allow Username Edits During Chaining When users authenticate through a Composite Adapter instance that chains this adapter behind another authentication source with an Input User ID Mapping configuration or initiate an OAuth authorization request with a login_hint parameter, the username in the login form is pre-populated; users are not allowed to edit their usernames.

Select this check box if you want to allow users to edit the pre-populated username in the login form.

Note:

Users who authenticate through a Composite Adapter instance without an Input User ID Mapping configuration or this adapter directly always need to enter their usernames.

This check box is not selected by default.

Track Authentication Time When selected, the time of authentication for each user is tracked and could be utilized by applicable use cases. For example, if an OAuth client sends an authorization request with a max_age parameter, such request will prompt the user to reauthenticate when the elapsed time (between the current time and the time of the previous authentication) is greater than the max_age value.

This check box is selected by default.

Post-Password Change Re-Authentication Delay The HTML Form Adapter reauthenticates the user using the new password immediately after a successful password change request. As needed, enter the amount of time (in milliseconds) that the adapter should wait prior to the reauthentication attempt.

The default value is 0, which is the minimum value. The maximum value is 60000 (one minute).

Advanced fields for self-service password reset and account unlock

Property Description
Password Reset Username Template The HTML template to prompt the user to enter a username for password reset.

This template is applicable for all password reset types (other than None).

The default template file is forgot-password.html.

Password Reset Code Template The HTML template to prompt the user to enter the one-time password (OTP) or the code for password reset.

This template is applicable when the password reset type is Email One-Time Password or Text Message.

The default template file is forgot-password-resume.html.

Password Reset Template The HTML template to prompt the user to define a new password.

This template is applicable for all password reset types (other than None).

The default template file is forgot-password-change.html.

Password Reset Error Template The HTML template to notify the user that the password reset attempt has failed.

This template is applicable for all password reset types (other than None).

The default template file is forgot-password-error.html.

Password Reset Success Template The HTML template to notify the user that the password reset attempt has succeeded.

This template is applicable for all password reset types (other than None).

The default template file is forgot-password-success.html.

Account Unlock Template The HTML template to notify the user that the account unlock attempt has succeeded and to prompt the user to retain the current password or reset it.

The default template file is account-unlock.html.

OTP Length The number of characters in the one-time password for password reset.

The default value is 8.

Password Reset Token Validity Time The validity (in minutes) for the one-time password or the one-time link.

The default value is 10 (minutes).

PingID Properties For self-service password reset using PingID, follow these steps to upload the PingID settings file to the HTML Form Adapter instance:
  1. Sign on to the PingOne admin portal.
  2. Go to the Setup > PingID > Client Integration screen.
  3. Download the settings file (pingid.properties).
  4. Close the PingOne admin portal.
  5. Come back to the PingFederate administrative console and upload the pingid.properties file to the PingID Properties advanced field on the IdP Adapter screen.

Advanced fields for self-service username recovery

Property Description
Require Verified Email When selected, PingFederate only generates notification messages for self-service password reset, account unlock, or username recovery for users who have proven ownership of their email addresses.
Important:

This selection requires that the status of email ownership verification being stored as part of the user record in the directory server and the name of such attribute being the value of the Mail Verified Attribute field in the selected LDAP Username PCV instance.

The check box is not selected by default.

Username Recovery Template The HTML template to prompt the user to enter an email address to recover the username associated with the account.

This template is applicable when username recovery is enabled.

The default template file is username.recovery.template.html.

Username Recovery Info Template The HTML template to notify the user to retrieve the email message with the recovered username.

This template is applicable when username recovery is enabled.

The default template file is username.recovery.info.template.html.

Username Recovery Email Template The HTML email template PingFederate uses to generate the email message containing the recovered username.

The default template file is message-template-username-recovery.html, located in the <pf_install>/pingfederate/server/default/conf/template/mail-notifications directory.

Applicable only if an instance of the SMTP Notification Publisher is selected from the Notification Publisher list.

CAPTCHA options

Property Description
CAPTCHA for Authentication Enable CAPTCHA to protect the authentication process from automated attacks.
CAPTCHA for Password Change Enable CAPTCHA to protect the password change process from automated attacks.
CAPTCHA for Password Reset Enable CAPTCHA to protect the account recovery process (for password reset and account unlock) from automated attacks.
CAPTCHA for Username Recovery Enable CAPTCHA to protect the username recovery process from automated attacks.

CAPTCHA check boxes are not selected by default.