For an identity provider (IdP), the first mile of this integration process involves providing a mechanism through which PingFederate looks up a user's current authenticated session data, such as a cookie, or authenticates a user without such a session. For a service provider (SP), the last mile involves enabling PingFederate to supply information needed by the target application to set a valid session cookie or other application-specific security context for the user. To enable both sides of this integration, PingFederate provides bundled and separately available integration kits, which include adapters that plug into the PingFederate server and agent toolkits that interface with local IdM systems or applications, as needed. In addition, PingFederate provides plugin authentication selectors, which enable dynamic selection of authentication sources based on administrator-specified criteria. For more information, see SSO integration overview.

PingFederate also includes a robust software development kit (SDK) for developers to write their own adapters, data stores, and other components, for specific systems.

Bundled adapters

PingFederate comes bundled with a set of adapters.

Identifier First Adapter
When a variety of user types authenticate at PingFederate, it is often better to ask the user for their identifier first, determine their user population, and prompt the user with the desired authentication requirements and experience. The Identifier First Adapter is designed to handle this use case. For more information, see Identifier First Adapter.
HTML Form Adapter
Used in conjunction with Password Credential Validators. These adapters provide integration with user-datastores in directory servers or locally. For more information, see HTML Form Adapter.
Kerberos Adapter
Provides a seamless desktop SSO experience for Windows environments and supports authentication mechanism assurance from the Active Directory domain service. For new configurations and as a simpler alternative to the separately-available IWA Integration Kit, use this adapter. For more information, see Kerberos Adapter.
OpenToken Adapter
Provides a generic interface for integrating with various applications, including Java- and .NET-based applications. For more information, see OpenToken Adapter.
Composite Adapter
Allows multiple configured IdP adapters to execute in sequence. Depending on the authentication context, use this capability, called adapter chaining, for either single-adapter usage or to support multi-factor authentication through a series of adapters. For more information, see Composite Adapter.
HTTP Basic Adapter
Used in conjunction with Password Credential Validators. These adapters provide integration with user-data stores in directory servers or locally. For more information, see HTTP Basic Adapter.
PingID
PingID is a cloud-based authentication service that binds user identities to their devices, making it an effective multi-factor authentication solution. For more information, see the PingID documentation.
PingOne MFA Adapter
Allows PingFederate to use the PingOne MFA service for multi-factor authentication (MFA). For more information, see PingOne MFA Integration Kit.
PingOne Protect Adapter
When a user signs on through PingFederate, the adapter sends the transaction information to the PingOne Protect service and retrieves a risk evaluation and other information about the user's current and previous transactions. For more information, see PingOne Risk Integration Kit.

Bundled authentication selectors

PingFederate provides plugin authentication selectors, which enable dynamic selection of authentication sources based on administrator-specified criteria. Along with the Composite Adapter and token authorization, the selectors enable dynamic integration with an organization's authentication or authorization policies, also known as adaptive federation.

Tip: To select subsequent selectors or authentication sources for handling complex hierarchical access-policy decisions, use the results of authentication-selection criteria evaluation. For more information, see Authentication policies.
CIDR Authentication Selector
Provides a means of choosing authentication sources or other authentication sources at runtime based on whether an end-user's IP address falls within specified ranges using Classless Inter-Domain Routing notation. This selector allows administrators to determine, for example, whether an SSO request originates inside or outside the corporate firewall and use different authentication integration accordingly. For more information, see Configuring the CIDR Authentication Selector.
Cluster Node Authentication Selector
Provides a means of picking authentication sources or other authentication sources at runtime based on the PingFederate cluster node that is servicing the request. For example, you can configure this selector to choose whether PingFederate attempts Integrated Windows Authentication based on the PingFederate cluster node with which a Key Distribution Center is associated. For more information, see Configuring the Cluster Node Authentication Selector.
Connection Set Authentication Selector
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the target SP connection used in an SSO request and SP connections configured within PingFederate. For example, administrators with different requirements for SP connections can override connection adapter selection on an individual connection basis. For more information, see Configuring the Connection Set Authentication Selector.
Extended Property Authentication Selector
Enables PingFederate to choose configured authentication sources or other selectors based on a match found between a selector result value and an extended property value from the invoking browser-based SSO connections or OAuth client. For more information, see Configuring the Extended Property Authentication Selector.
HTTP Header Authentication Selector
Provides a means of choosing authentication sources or other authentication sources at runtime based on a match found using wildcard expressions in an HTTP header. This selector allows administrators to determine, for example, authentication behavior based on the type of browser. For more information, see Configuring the HTTP Header Authentication Selector.
HTTP Request Parameter Authentication Selector
Provides a means of selecting authentication sources or other authentication sources at runtime based on query parameter values in the HTTP request. For more information, see Configuring the HTTP Request Parameter Authentication Selector.
OAuth Client Set Authentication Selector
Enables PingFederate to choose configured authentication sources or other selectors based on a match found between the client information in an OAuth request and the OAuth clients configured in the PingFederate OAuth authorization server (AS). This selector allows you to override client authentication selection on an individual client basis in one or more authentication policies. For more information, see Configuring the OAuth Client Set Authentication Selector.
OAuth Scope Authentication Selector
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS). For example, if a client requires write access to a resource, administrators can configure the selector to choose an adapter that offers a stronger form of authentication such as the X.509 client certificate rather than username and password. For more information, see Configuring the OAuth Scope Authentication Selector.
Requested AuthN Context Authentication Selector
Provides a means of picking authentication sources or other authentication sources at runtime based on the authentication context requested by an SP, for SP-initiated SSO. Configured authentication sources are mapped either to SAML-specified contexts or any ad-hoc context agreed upon between the IdP and SP partners. For more information, see Configuring the Requested AuthN Context Authentication Selector.
Session Authentication Selector
Enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source. For more information, see Configuring the Session Authentication Selector.
Note: Authentication selectors rely on HTTP requests, HTTP headers, POST data, or a combination of them. Ensure that standard security measures are in place when using these selectors.

Integration kits

Ping Identity regularly develops and maintains integration kits and adapters to work with applications and leading identity management systems. Download available kits from the Ping Identity Downloads website. Ping Identity adds additional authentication selectors to the download site. Contact sales@pingidentity.com with your specific authentication-selection capabilities.

Software development kit (SDK)

The PingFederate SDK provides a flexible means of creating custom adapters to integrate federated identity management into your system environment. For more information, see the PingFederate SDK Developer's Guide.