IdP adapters are responsible for handling user authentication as part of an single sign-on (SSO) operation. A configured adapter in PingFederate is known as an adapter instance.

In a basic scenario, you map an IdP adapter instance to a SP connection on the Authentication Source Mapping tab and complete its mapping configuration through a series of sub tasks. When a user starts an SSO request, the corresponding IdP adapter is triggered to authenticate the user. Upon successful authentication, PingFederate creates and sends an SSO token to the SP based on the connection settings. As needed, you can map multiple IdP adapter instances to an SP connection, the same IdP adapter instance to multiple SP connections, or a combination of them.

If you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can map the APC to your connection. Like IdP adapter instances, you can map multiple APCs to an SP connection, the same APC to multiple SP connections, or a combination of them.


For more information about authentication policies and contracts, see Authentication policies.

You can also map one or more APCs to an SP connection to bridge a service provider to one or more identity providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this SP connection with the applicable IdP connections to the identity providers. Each APC has its own set of attributes which you map values to the SSO tokens.


For more information about the federation hub, see Federation hub use cases.

Regardless of how many IdP adapter instances and APCs are mapped to an SP connection, PingFederate uses only one adapter instance or policy path to authenticate a user. You can leave the decision to the users or create authentication policies to mandate authentication requirements. Because each adapter instance or APC could return different user attributes, each mapping must define how the attribute contract is fulfilled in its mapping configuration.

  1. For initial steps to configure SP connections, see Accessing SP connections.
  2. For initial steps to configure Browser SSO, see Configure IdP Browser SSO.
  3. For initial steps to configure assertion creation. see Configuring SSO token creation.
  4. On the Authentication Source Mapping tab, select one of the following.
    • Click Map New Adapter Instance to map a new IdP Adapter instance. For more information, see Mapping an adapter instance.
    • Click Map New Authentication Policy to map a new APC. For more information, see Mapping an authentication policy
    • Click on an existing instance to edit its configuration.
    • Click Delete to remove an existing adapter instance or APC. Click undelete to cancel the removal request
    When authentication sources, such as IdP adapter instances or connection mapping contracts, are restricted to certain virtual server IDs, the allowed IDs are displayed under Virtual Server IDs.
  5. When your authentication sources have been mapped, click Next save your changes.