1. Click Identity Provider > Adapters to open the Manage IdP Adapter Instances screen.
  2. On the Manage IdP Adapter Instances screen, click Create New Instance to start the Create Adapter Instance configuration wizard.
  3. On the Type screen, configure the basics of this adapter instance.
    1. Enter the required information and select the adapter type from the list.
    2. Optional: Select a Parent Instance from the list.
      This is useful when you are creating an instance that is similar to an existing instance. The child instance inherits the configuration of its parent. In addition, you have the option to override one or more settings during the rest of the setup. Select the Override ... check box and make the adjustments as needed in one or more subsequent screens.
  4. On the IdP Adapter screen, configure your HTTP Basic Adapter instance as follows:
    1. If you have not yet defined the desired Password Credential Validator instance, click Manage Password Credential Validators to do so.
    2. Click Add a new row to 'Credential Validators' to select a credential-authentication mechanism instance for this adapter instance.
    3. Select a Password Credential Validator instance from the list and click Update.
      Add as many validators as necessary. Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If the first mechanism fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the Password Credential Validator instances is able to authenticate the user's credentials, and the challenge retries maximum has been reached, the process fails.

      If usernames overlap across multiple Password Credential Validator instances, this failover setup could lockout those accounts in their source locations.

    4. Enter values for the adapter configuration.

      Refer to the on-screen field descriptions and the following table for more information.

      Property Description


      The name of a protected area. The value of this field is sent as a part of the HTTP Basic authentication request. It appears in a dialog box that prompts the user for a username and password.

      Once a user authenticates against a realm, if additional HTTP Basic Adapter instances share the same realm, the user is not prompted to re-authenticate.

      Challenge Retries


      The number of attempts allowed for password authentication. The default value is 3.
  5. On the Extended Contract screen, configure additional attributes for this adapter instance as needed.
    The HTTP Basic Adapter contract includes one core attribute: username.
  6. On the Adapter Attributes screen, configure the pseudonym and masking options.

    The Override Attributes check box in this screen reflects the status of the override option in the Extended Contract screen.

    1. Select the check box under Pseudonym for the user identifier of the adapter and optionally for the other attributes, if available.
      This selection is used if any of your SP partners use pseudonyms for account linking.

      A selection is required regardless of whether you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user (for example, email) to prevent the same pseudonym from being assigned to multiple users.

    2. Select the check box under Mask Log Values for any attributes that you want PingFederate to mask their values in its logs at runtime.
    3. Select the Mask all OGNL-expression generated log values check box, if OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked
  7. Optional: On the Adapter Contract Mapping screen, configure the adapter contract for this instance with the following optional workflows:
    • Configure one or more data sources for datastore queries.
    • Fulfill adapter contract with values from the adapter (the default), datastore queries (if configured), context of the request, text, or expressions (if enabled).
    • Set up the Token Authorization framework to validate one or more criteria prior to the issuance of the adapter contract.
  8. On the Summary screen, review your configuration, modify as needed, and click Done to exit the Create Adapter Instance workflow.
  9. On the Manage IdP Adapter Instances screen, click Save to retain the configuration of the adapter instance.
    If you want to exit without saving the configuration, click Cancel.