1. Go to Authentication > Token Exchange > Token Processors to open the Token Processors window.
  2. Select on an existing token processor instance by clicking its name in the Instance Name section, or create a new instance by clicking Create New Instance.
    This will open the Create Token Processor Instance window configuration.
  3. On the Instance Configuration tab, configure the basics of this token processor instances.
    1. If you have not yet defined the desired Password Credential Validator instance, click Manage Password Credential Validators to do so.
    2. Click Add a new row to 'Credential Validators' to select a credential-authentication mechanism instance for this adapter instance.
    3. From the Password Credential Validator Instance list, select a Password Credential Validator instance. Click Update.
      Add as many validators as necessary. Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If the first mechanism fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the Password Credential Validator instances can authenticate the user's credentials, and the challenge retries maximum has been reached, the process fails.

      If usernames overlap across multiple Password Credential Validator instances, this failover setup could lock out those accounts in their source locations.

    4. In the Field Value section, enter a value in the Authentication Attempts.

      When the number of login failures reaches this threshold, the user is locked out for a period of time.

      The default value is 3.