Configuring local identity mapping - PingFederate - 11.1

PingFederate Server

bundle
pingfederate-111
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.1
category
Administrator
Audience
Capability
DeploymentMethod
Product
SingleSignonSSO
Software
SystemAdministrator
pf-111
pingfederate
ContentType_ce

You can configure your local identity mapping in the PingFederate administrative console.

  1. On the Inbound Mapping tab, configure the attribute mappings for registration and profile management.
    Note:

    At runtime, PingFederate fulfills the value of the pf.local.identity.unique.id built-in local identity field based on this configuration and passes the value to PingDirectory. PingDirectory uses this value to determine whether such identity has already been created. The pf.local.identity.unique.id field value should therefore be mapped from the subject identifier of the preceding authentication source. You can also map other local identity fields so that PingFederate can streamline the registration process by pre-populating values on the registration page.

    Note:

    This configuration overrides the default field values configured within the local identity profile. For more information, see Configure a local identity field.

    This tab does not apply and stays hidden if your use case does not involve registration and profile management. See Enabling third-party identity providers without registration.

  2. Optional: On the Attribute Sources & User Lookup tab, click Add Attribute Source to configure datastore queries.
  3. On the Contract Fulfillment tab, fulfill the authentication policy contract associated with the selected local identity profile.

    If the selected closed-ended path contains more than one authentication source, you have access to attributes obtained successfully from the previous authentication sources along the same path.

    For example, select your local identity profile under Source and the desired local identity field under Value.

    Note:

    If your use case does not involve registration or profile management, the source of fulfillment is limited to the preceding identity provider (IdP) connection or IdP adapter instance, dynamic text, attribute mapping expression, if enabled, and tracked HTTP request parameter, if configured.

  4. Optional: On the Issuance Criteria tab, configure conditions to be validated before issuing an authentication policy contract. For more information, see Defining issuance criteria for contract or local identity mapping.
  5. On the Summary tab, review your configuration, modify as needed, and then click Done.
  6. On the Policy window, continue with the rest of your policy configuration.