Setting up PingDirectory for customer identities - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

PingFederate can optionally store customer identities in PingDirectory. After you have installed PingDirectory, update the LDAP schema with a new object class and a couple of attributes to store customer identities and their connections.

Update the LDAP schema with a new object class and a couple attributes using an LDIF file provided. To optimize performance, apply updates in indexes to the directory as well. In addition, you must configure in PingFederate an LDAP datastore connection to your PingDirectory and an LDAP Username Password Credential Validator instance for the HTML Form Adapter to validate user credentials. If you have previously created these components, you can reuse them.

Note:

Skip this configuration if your use case does not involve registration or profile management. For more information, see Enabling third-party identity providers without registration.

  1. Update the LDAP schema.
    1. Sign on to the PingDirectory administrative console.
    2. Go to the LDAP Schema > Schema Utilities screen.
    3. Click Import Schema Element.
    4. Copy the schema changes from the <pf_install>/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif file and paste them into the text area.
      If you are creating a new organizational unit as part of the LDIF import, edit the DN information.
    5. Click Import.
  2. Create an equality index for the pf-connected-identity attribute.
    1. Use PingDirectory's dsconfig utility to create this index. The dsconfig utility is interactive. You can also provide inputs as command arguments. For example, the following samples create the pf-connected-identity index.
      $ bin/dsconfig create-local-db-index \
                        --backend-name userRoot \
                        --index-name pf-connected-identity \
                        --set index-type:equality
                        --no-prompt
      Note:

      If you choose not to use the --no-prompt option, the default presented by dsconfig is the correct option.

    2. After adding the index, stop the PingDirectory server.
    3. Use the rebuild-index utility to build the indexes. For instance, the following sample builds the required index.
      $ bin/rebuild-index \
                                 --baseDN "dc=example,dc=com" \
                                 --index pf-connected-identity
    4. Restart the PingDirectory server.
  3. Create an LDAP datastore connection to your PingDirectory on System > Data Stores.

    If you have already created an LDAP datastore connection to your PingDirectory, you can reuse it.

  4. Create an instance of the LDAP Username Password Credential Validator on System > Password Credential Validators to validate user credentials stored in PingDirectory.

    If you have already created an LDAP Username Password Credential Validator instance, you can reuse it.

    Note:

    Later you will create a local identity profile as part of the customer IAM configuration. The Search Base value here should match the Base DN value defined in the local identity profile. For more information, see Configuring LDAP base DN and attributes.