Initial user authentication is normally handled outside of the PingFederate server using an application or an IdM system authentication module. Adapters or agents from PingFederate integration kits are typically used to integrate with these local authentication mechanisms.

PingFederate packages an HTML Form Adapter that delegates user authentication to a Password Credential Validator (PCV); for example, an LDAP Username PCV. This authentication mechanism validates credentials against a user repository via an instance of a PCV. Multiple PCV instances may be added to an instance of the HTML Form Adapter to validate against multiple user repositories, in which case PingFederate falls to the subsequent PCV instance if the previous PCV instance fails to validate the user credentials.

When PingFederate receives an authentication request and the use case is associated with an HTML Form Adapter instance, PingFederate invokes the adapter if it does not find a valid authentication session. If the HTML Form Adapter does not finds a valid adapter session, it displays a sign-on page and prompts the user for credentials.

If customer IAM is configured and enabled, users can optionally register local accounts or sign on using third-party identity providers. If a user choose to sign on using local accounts, the credentials are validated using the designated Password Credential Validator instance (or instances). If validated, PingFederate generates the requested SSO token or moves the request to the next checkpoint if authentication policies are involved.

In terms of the sign-on experience, the HTML Form Adapter allows you to use different customizable and localizable template files, define a logout path or a logout redirect page, notify users with password expiry information, allow users to change or reset their network passwords or redirect users to a company-hosted password management system, and enable self-service password reset, account unlock, and username recovery. All capabilities can be configured on a per-adapter instance basis.

PingFederate also tracks login attempts per adapter instance. This capability adds a layer of protection against brute force and dictionary attacks. When the Challenge Retries threshold is reached, the user is locked out for a period of time. The default value for the Challenge Retries setting is three. If a higher value is preferred, consider reviewing the account lockout policy of the user repository first. For example, if the account lockout threshold is set to five on the target directory server and the Challenge Retries setting is also set to five (or a higher value), the fifth sign-on attempt could potentially lock the user accounts on the directory server. The lockout period is controlled by the Account Locking Service.

This adapter does not provide an authentication context. For SAML connections, PingFederate sets the authentication context as follows:
  • urn:oasis:names:tc:SAML:1.0:am:unspecified for SAML 1.x
  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified for SAML 2.0
As needed, the authentication context can be overridden by either an instance of the Requested AuthN Context Authentication Selector or the SAML_AUTHN_CTX attribute in the SAML attribute contract. (The latter takes precedence.)
Note:

The HTML Form Adapter is authentication API capable. The PingFederate authentication API is a JSON-based API that enables end-user interactions, such as credential prompts, to be handled by an external web application. This API does so by providing access to the current state of the flow as an end user steps through a PingFederate authentication policy. For more information, see Authentication API.