The administrators must authenticate successfully against the first factor; for example, a directory server where the administrator accounts, credentials and group memberships are stored. To fulfill this requirement, you need an LDAP connection from PingFederate to your directory server and an instance of the LDAP Username Password Credential Validator.

  1. Go to the System > Password Credential Validators screen, and then click Create New Instance.
  2. On the Type screen, select LDAP Username Password Credential Validator from the list and provide a name and an ID for it.
  3. On the Instance Configuration screen, select the LDAP datastore and enter information into the required fields.
    For more information about each field, refer to the following table:
    Field Description
    LDAP Datastore

    (Required)

    The LDAP datastore configured in PingFederate.

    If you have not yet configured the server to communicate with the LDAP directory server you need, click Manage Data Stores.

    There is no default selection.

    Search Base

    (Required)

    The location in the directory server from which the search begins.

    This field has no default value.

    Search Filter

    (Required)

    The LDAP query to locate a user record.

    If your use case requires the flexibility of allowing users to identify themselves using different attributes, you may include these attributes in your query. For instance, the following search filter allows users to sign on using either the sAMAccountName or employeeNumber attribute value through the HTML Form Adapter:

    (|(sAMAccountName=${username})(employeeNumber=${username}))

    This field has no default value.

    Scope of Search The level of search to be performed in the search base.

    One Level indicates a search of objects immediately subordinate to the base object, not including the base object itself. Subtree indicates a search of the base object and the entire subtree within the base object distinguished name.

    The deault selection is Subtree.

    Case-Sensitive Matching The option to enable case-sensitive matching between the LDAP error messages returned from the directory server and the Match Expression values specified on this screen.

    This check box is selected by default.

  4. On the Extended Contract screen, click Next to skip to the Summary screen.
  5. On the Summary screen, review the configuration, modify as needed, and then save the configuration.