In this multi-factor console authentication use case, the PingFederate administrative console is a RADIUS client that calls the local RADIUS server bundled in the PingID Password Credential Validator (PCV) for the second factor authentication.


For a clustered PingFederate environment, perform these steps on the console node.

  1. Open the <pf_install>/pingfederate/bin/ file in a text editor and set the pf.console.authentication property to RADIUS.
  2. Obfuscate the Client Shared Secret value using a PingFederate command-line tool.

    Windows: <pf_install>\pingfederate\bin\obfuscate.bat clientSharedSecret

    Linux: <pf_install>/pingfederate/bin/ clientSharedSecret

    The output should be a long line of text.

  3. Copy the output for the next step.
  4. Open the <pf_install>/pingfederate/bin/ file in a text editor and modify as follows.

    For a clustered PingFederate environment, the host value must be a runtime engine IP address or a hostname.

    The timeout value is the number of milliseconds to wait for the second authentication factor to complete before timing out the login attempt. In this use case, ten seconds, or 10000 ms, should be sufficient for PingID.

    In addition, assign one or more RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file, in the same bin directory, to map LDAP group-based permissions to PingFederate roles.

  5. Save your changes, and restart PingFederate.