Initial user authentication is normally handled outside of the PingFederate server using an application or an Identity Management system authentication module. Adapters or agents from PingFederate integration kits are typically used to integrate with these local authentication mechanisms.

PingFederate packages an HTTP Basic Adapter that delegates user authentication to a Password Credential Validator, such as an LDAP Username PCV (see Password Credential Validators). This authentication mechanism validates credentials against a user repository through an instance of a PCV. You can add multiple PCV instances to an instance of the HTTP Basic Adapter to validate against multiple user repositories, in which case PingFederate falls to the subsequent PCV instance if the previous PCV instance fails to validate the user credentials.

When PingFederate receives an authentication request and the use case is associated with an HTTP Basic Adapter instance, PingFederate invokes the adapter if it does not find a valid authentication session (see Sessions). If the HTTP Basic Adapter does not find a valid adapter session, it prompts the user for credentials.

This adapter does not provide an authentication context. For SAML connections, PingFederate sets the authentication context as follows:
  • urn:oasis:names:tc:SAML:1.0:am:unspecified for SAML 1.x
  • urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified for SAML 2.0
As needed, the authentication context can be overridden by either an instance of the Requested AuthN Context Authentication Selector or the SAML_AUTHN_CTX attribute in the SAML attribute contract. The latter takes precedence.