Setting pseudonym and masking options - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

You can set pseudonym and masking options to uniquely identify a user to your PingFederate SP partners.

  1. Go to Authentication > Integration > IdP Adapters and click the identity provider (IdP) adapter instance that you want to change.
  2. On the Adapter Attributes tab, do the following:
    1. Optional: From the Unique User Key Attribute list, select an attribute to uniquely identify users signing on with this adapter.

      The attribute's value is used to identify user sessions across all adapters. None is selected by default.

      Note:

      If you choose a custom user key attribute, PingFederate uses the value of the attribute after the Adapter Contract Mapping (if any) has been evaluated. If you choose a custom user key attribute that is based on the username, configure the adapter's password credential validator (PCV)password credential validator (PCV)PCV Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate to trim spaces.

      Important:

      For the HTML Form Adapter, If you enabled the Revoke Sessions after Password Change or Reset option on the IdP Adapter tab, you cannot select None as the unique user key attribute. Doing so results in an error message.

    2. Select the check box under Pseudonym for the user identifier of the adapter and optionally for the other attributes, if available.

      This selection is used if any of your service provider (SP)service provider (SP)SP In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource. partners use pseudonyms for account linking.

      Note:

      A selection is required whether or not you use pseudonyms for account linking. This allows account linking to be used later without having to delete and reconfigure the adapter. Ensure that you choose at least one attribute that is unique for each user, such as a user's email, to prevent assigning the same pseudonym to multiple users.

    3. Select the check box under Mask Log Values for any attributes whose values you want PingFederate to mask in its logs at runtime.
      Note:

      Masking is not applied to the unique user key attribute in the logs even though the attribute used for the key is marked as Mask Log Values.

    4. Select the Mask all OGNL-expression generated log values check box if OGNL expressions might be used to map derived values into outgoing assertions and you want those values masked.