The Identifier First Adapter works best for use cases when a variety of user types are authenticating with PingFederate. The adapter analyzes the type of user and the credentials with which they have enrolled before, including datastore queries and user attributes, to provide support for user authentication.
When a variety of user types authenticate at PingFederate, it is often better to ask the user for their identifier first, determine their user population, and prompt the user with the desired authentication requirements and experience. The Identifier First Adapter is designed to handle this use case.
subject is one of the two core attributes in the adapter contract. domain is the other one.
If the identifier is an email address, the adapter extracts the email address suffix and exposes it downstream through the domain attribute. Additionally, the adapter can leverage datastore queries to fulfill the domain attribute, or other extended attributes, to support identifiers of other kinds.
Based on the identification result and the configured authentication policies, PingFederate routes the user to the desired policy path. As the user fulfills the authentication requirements, the adapter preserves the identifier on the client side in a persistent cookie.
When the user signs off and makes a subsequent sign-on request from the same browser, the adapter offers the user to either select the previously authenticated identifier found in the cookie or to enter a new one. If the user opts to enter a new identifier, the adapter adds that identifier to the cookie once the user completes the authentication requirements.
The adapter keeps adding the most-recently-authenticated identifier until the number of identifier reaches a configurable limit. When the threshold is reached, the adapter removes the least-recently-used identifier from the cookie.
Lastly, the Identifier First Adapter also allow users to continue without entering or selecting an identifier, in which case it treats the authentication attempt as a failure and returns control to PingFederate. PingFederate can then route the request based on the configured policy path.
urn:oasis:names:tc:SAML:1.0:am:unspecifiedfor SAML 1.x
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedfor SAML 2.0
PingFederate creates authentication sessions configured for an Identifier First Adapter instance only when the complete single sign-on (SSO) transaction has succeeded. This lets the adapter prompt the user for a different user identifier when a chained adapter authentication fails because, for example, there's a typo in the user identifier.
The Identifier First Adapter is authentication API-capable. The PingFederate authentication API is a JSON-based API that enables end-user interactions, such as credential prompts, to be handled by an external web application. This API does so by providing access to the current state of the flow as an end user steps through a PingFederate authentication policy. For more information, see Authentication applications and the authentication API.