Troubleshooting - PingFederate - 11.2

PingFederate Server
bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide > Administrator Guide
Product documentation
Guide
  • PingFederate
  • Release Notes
  • PingFederate 11.2.7 (August 2023)
  • PingFederate 11.2.6 (June 2023)
  • PingFederate 11.2.5 (May 2023)
  • PingFederate 11.2.4 (March 2023)
  • PingFederate 11.2.3 (February 2023)
  • PingFederate 11.2.2 (February 2023)
  • PingFederate 11.2.1 (February 2023)
  • PingFederate 11.2 (December 2022)
  • PingFederate 11.1.7 (May 2023)
  • PingFederate 11.1.6 (February 2023)
  • PingFederate 11.1.5 (February 2023)
  • PingFederate 11.1.4 (February 2023)
  • PingFederate 11.1.3 (December 2022)
  • PingFederate 11.1.2 (October 2022)
  • PingFederate 11.1.1 (July 2022)
  • PingFederate 11.1 (June 2022)
  • PingFederate 11.0.7 (February 2023)
  • PingFederate 11.0.6 (February 2023)
  • PingFederate 11.0.5 (October 2022)
  • PingFederate 11.0.4 (August 2022)
  • PingFederate 11.0.3 (May 2022)
  • PingFederate 11.0.2 (March 2022)
  • PingFederate 11.0.1 (January 2022)
  • PingFederate 11.0 (December 2021)
  • Previous releases
  • Introduction to PingFederate
  • About identity federation and SSO
  • Service providers and identity providers
  • Federation hub
  • Supported standards
  • Federation roles
  • Terminology
  • Browser-based SSO
  • SAML 1.x profiles
  • SSO—Browser-POST
  • SSO—Browser-Artifact
  • SP-initiated (destination-first) SSO
  • SAML 2.0 profiles
  • Single sign-on
  • SP-initiated SSO—POST-POST
  • SP-initiated SSO—Redirect-POST
  • SP-initiated SSO—Artifact-POST
  • SP-initiated SSO—POST-Artifact
  • SP-initiated SSO—Redirect-Artifact
  • SP-initiated SSO—Artifact-Artifact
  • IdP-initiated SSO—POST
  • IdP-initiated SSO—Artifact
  • Single logout
  • Attribute Query and XASP
  • Standard IdP Discovery
  • WS-Federation
  • About account linking
  • Web services standards
  • Web Services Security
  • WS-Trust
  • Request types
  • OAuth 2.0
  • Web redirect flow
  • Device authorization grant
  • CIBA grant
  • CIBA by poll
  • CIBA by ping
  • Token exchange grant
  • Assertion grant profile for OAuth 2.0 authorization grants
  • OpenID Connect support
  • Client management
  • System for Cross-domain Identity Management (SCIM)
  • Transport and message security
  • Integration overview
  • Bundled adapters and authenticators
  • Additional integrations
  • SSO integration concepts
  • Identity provider integration
  • Service provider integration
  • Security token service
  • OAuth authorization server
  • User account management
  • Enterprise deployment features
  • Additional features
  • Key concepts
  • WS-Trust STS
  • Connection-based policy
  • Token processors and generators
  • WSC and WSP support
  • STS OAuth integration
  • About OAuth
  • Delegated access types
  • Token models and management
  • Grant types
  • Scopes
  • Consent approval
  • Client management and storage
  • Client authentication schemes
  • Dynamic client registration
  • Transient grants and persistent grants
  • Grant storage and management
  • Mapping OAuth attributes
  • OAuth user-facing windows
  • OpenID Connect
  • CORS support for OAuth endpoints
  • Bundled adapters and authenticators
  • Security infrastructure
  • Digital signatures
  • Message signing
  • Certificate validation
  • Digital signing policy coordination
  • Secure sockets layer
  • Encryption
  • Hierarchical plugin configurations
  • Identity mapping
  • Account linking
  • Account mapping
  • User attributes
  • Attribute contracts
  • Adapter contracts
  • STS token contracts
  • Datastores
  • Attribute masking
  • Token authorization
  • User provisioning
  • Outbound provisioning for IdPs
  • Provisioning for SPs
  • Customer identity and access management
  • Federation hub use cases
  • Bridging an IdP to an SP
  • Bridging an IdP to multiple SPs
  • Bridging multiple IdPs to an SP
  • Bridging multiple IdPs to multiple SPs
  • Federation hub and authentication policy contracts
  • Federation hub and virtual server IDs
  • Federation planning checklist
  • Multiple virtual server IDs
  • Configuration data exchange
  • Installing and uninstalling PingFederate
  • System requirements
  • Compatible database drivers
  • Port requirements
  • Installing Java
  • Installing PingFederate 11.2
  • Uninstalling PingFederate
  • Upgrading PingFederate
  • Downloading PingFederate
  • Preparing to upgrade PingFederate
  • Upgrade considerations
  • Upgrade considerations introduced in PingFederate 10.x
  • Upgrade considerations introduced in PingFederate 9.x
  • Upgrade considerations introduced in PingFederate 8.x
  • Upgrade considerations introduced in PingFederate 7.x
  • Upgrade considerations introduced in PingFederate 6.x
  • Upgrading PingFederate installations
  • Custom mode in the Upgrade Utility
  • Post-upgrade tasks
  • Reviewing administrative users
  • Copying customized files or settings
  • User-facing windows
  • Email notifications
  • Jetty or JBoss configuration
  • The size-limits.conf file
  • Cross-origin resource sharing (CORS) support for OAuth endpoints
  • Configuration files in the config-store directory
  • Other configuration files
  • Reviewing database changes
  • Provisioning datastore reset
  • Enabling security enhancement in JDBC datastore queries
  • An improved index in the database table for OAuth clients
  • Logging configurations
  • Merging custom logging configurations
  • Migrating other components
  • Updating the custom authentication selector
  • Migrating to the integrated LDAP Username PCV
  • Migrating to the integrated Username Token Processor
  • Resetting files and variable for HSM
  • Verifying the new installation
  • Updating to the latest maintenance release
  • Getting Started with PingFederate
  • Starting and stopping PingFederate
  • Opening the PingFederate administrative console
  • Setting up PingFederate
  • PingFederate administrative console
  • Navigation tabs and menus
  • Customizing shortcuts
  • Tasks and steps
  • Console buttons
  • Third-party cryptographic solutions
  • Supported hardware security modules
  • Integrating with AWS CloudHSM
  • AWS CloudHSM operational notes
  • Integrating with Thales Luna Network HSM
  • SafeNet Luna Network HSM operational notes
  • Integrating with Entrust nShield Connect HSM
  • nShield Connect HSM operational notes
  • Supported software security package
  • Bouncy Castle FIPS provider
  • Integrating Bouncy Castle FIPS providers
  • Bouncy Castle operational notes
  • Server Clustering Guide
  • Overview of clustering
  • Cluster protocol architecture
  • Runtime state-management architectures
  • Adaptive clustering
  • Multi-region support
  • Configuring multi-region support
  • Directed clustering
  • Sharing all nodes
  • Designating state servers
  • Defining subclusters
  • Runtime state-management services
  • Inter-Request State-Management (IRSM) Service
  • IdP Session Registry Service
  • SP Session Registry Service
  • LRU memory management schemes
  • Assertion Replay Prevention Service
  • Artifact-Message Persistence and Retrieval Service
  • Back-Channel Session Revocation Service
  • Account Locking Service
  • Other services
  • Deploying cluster servers
  • Dynamic cluster discovery
  • Enabling dynamic discovery for clustering
  • Migrating cluster discovery settings
  • Deploying provisioning failover
  • Configuration synchronization
  • Console configuration push
  • Configuration-archive deployment
  • Administrator's Reference Guide
  • Attribute mapping expressions
  • Enabling and disabling expressions
  • Construct OGNL expressions
  • Sample OGNL expressions
  • Issuance criteria and multiple virtual server IDs
  • Expressions for OAuth and OpenID Connect uses cases
  • Using the OGNL edit window
  • Authentication policies
  • Selectors
  • Managing authentication selector instances
  • Choosing a selector type
  • Configuring an authentication selector instance
  • Configuring the CIDR Authentication Selector
  • Configuring the Cluster Node Authentication Selector
  • Configuring the Connection Set Authentication Selector
  • Configuring the Extended Property Authentication Selector
  • Configuring the HTTP Header Authentication Selector
  • Configuring the HTTP Request Parameter Authentication Selector
  • Configuring the OAuth Client Set Authentication Selector
  • Configuring the OAuth Scope Authentication Selector
  • Configuring the Requested AuthN Context Authentication Selector
  • Configuring the Session Authentication Selector
  • Configuring a sample use case
  • Policies
  • Defining authentication policies
  • Specifying incoming user IDs
  • Configuring rules in authentication policies
  • Defining authentication policies based on group membership information
  • Applying policy contracts or identity profiles to authentication policies
  • Configuring contract mapping
  • Configuring local identity mapping
  • Defining issuance criteria for contract or local identity mapping
  • Mapping a policy contract to multiple use cases
  • SP authentication policies
  • Configuring an SP authentication policy for users from one IdP
  • Configuring SP authentication policies for users from multiple IdPs
  • Configuring SP authentication policies for internal users
  • Policy fragments
  • Defining policy fragments
  • Policy contracts
  • Managing policy contracts
  • Editing contract information
  • Defining contract attributes
  • Reviewing the policy contract
  • Special attribute names in contracts
  • Adapter Mappings
  • Configuring authentication policy adapter mappings
  • Defining issuance criteria for adapter mapping
  • Sessions
  • Configuring tracking options for logout
  • Configuring application sessions
  • Configuring authentication sessions
  • Bundled adapters
  • Composite Adapter
  • Configuring a Composite Adapter instance
  • HTML Form Adapter
  • Configuring an HTML Form Adapter instance
  • HTML Form Adapter advanced fields
  • HTTP Basic Adapter
  • Configuring an HTTP Basic Adapter instance
  • Identifier First Adapter
  • Configuring an Identifier First Adapter instance
  • Identifier First Adapter and authentication policies
  • Configuring a policy for multiple user populations
  • Kerberos Adapter
  • Authentication mechanism assurance
  • Configuring a Kerberos Adapter instance for SSO authentication
  • Configuring browsers for Kerberos authentication
  • OpenToken Adapter
  • Configuring an OpenToken IdP Adapter instance
  • Configuring an OpenToken SP Adapter instance
  • Configuring a Passthrough IdP Adapter
  • Configuring a Reference ID Adapter
  • Configuring an X.509 Certificate IdP Adapter
  • Customer IAM configuration
  • Setting up PingDirectory for customer identities
  • Managing local identity profiles
  • Configuring local identity profiles
  • Defining authentication sources
  • Configuring local identity fields
  • Configuring email ownership verification options
  • Configuring registration options
  • Configuring profile management options
  • Managing datastore configuration
  • Selecting a datastore for customer identities
  • Configuring LDAP base DN and attributes
  • Configuring LDAP relative DN and object class
  • Defining datastore mapping configuration
  • Reviewing datastore configuration
  • Reviewing a local identity profile
  • Configuring the HTML Form Adapter for customer identities
  • Setting up self-service registration
  • Enabling third-party identity providers
  • Enabling profile management
  • Creating advanced registration mapping
  • Enabling third-party identity providers without registration
  • Customizing assertions and authentication requests
  • Message types and available variables
  • Sample customizations
  • Fulfillment by datastore queries
  • Attribute mapping with multiple data sources
  • Datastore query configuration
  • Choosing a datastore
  • Specifying database tables and columns
  • Entering a database search filter
  • Specifying directory properties and attributes
  • Defining encoding for binary attributes
  • Entering a directory search filter
  • Specifying data source filters and fields
  • Specifying data source filters for REST API datastores
  • Specifying a dynamic authorization header for a REST API datastore
  • Specifying filters and fields for a custom datastore
  • Configuring failsafe options
  • Reviewing datastore query configurations
  • IdP-to-SP bridging
  • Adapter-to-adapter mappings
  • Managing mappings
  • Assigning a license group
  • Identifying the target application
  • Configuring attribute sources and user lookup for adapter-to-adapter mappings
  • Configuring target application information
  • Configuring contract fulfillment for adapter-to-adapter mappings
  • Configuring a default target URL (optional)
  • Defining issuance criteria for adapter-to-adapter mappings
  • Reviewing the adapter-to-adapter mapping
  • Token translator mappings
  • Managing token mappings
  • Configuring attribute sources and user lookup for token mapping
  • Configuring contract fulfillment for token exchange mapping
  • Defining issuance criteria for token translator mapping
  • Reviewing the token exchange mapping
  • Identity provider SSO configuration
  • IdP application integration settings
  • Managing IdP adapters
  • Creating an IdP adapter instance
  • Configuring an IdP adapter instance
  • Invoking IdP adapter actions
  • Extending an IdP adapter contract
  • Setting pseudonym and masking options
  • Defining the IdP adapter contract
  • Defining attribute sources and user lookup
  • Configuring IdP adapter contract fulfillment
  • Defining issuance criteria for IdP adapter contract
  • Reviewing an IdP adapter contract
  • Reviewing and saving an IdP adapter configuration
  • Authentication applications and the authentication API
  • Managing authentication applications
  • Configuring authentication applications
  • Configuring a default URL and error message
  • Viewing IdP application endpoints
  • IdP protocol endpoints
  • SP connection management
  • Accessing SP connections
  • Resolving SP connection errors
  • Importing a connection
  • Updating a SAML connection using metadata
  • Choosing an SP connection template
  • Choosing an SP connection type
  • Choosing SP connection options
  • Importing SP metadata
  • Identifying the SP
  • Populating extended property values for SP connections
  • Configure IdP Browser SSO
  • Choosing SAML 2.0 profiles
  • Setting an SSO token lifetime
  • Configuring SSO token creation
  • Choosing an identity mapping method for IdP SSO
  • Selecting a SAML Name ID type
  • Selecting a WS-Federation Name ID type
  • Setting up an attribute contract
  • Managing authentication source mappings
  • Mapping an adapter instance
  • Mapping an authentication policy
  • Overriding an IdP adapter instance
  • Restricting an authentication source to certain virtual server IDs
  • Selecting an attribute mapping method
  • Configuring default contract fulfillment for IdP Browser SSO
  • Defining issuance criteria for IdP Browser SSO
  • Configuring attribute sources and user lookup
  • Configuring contract fulfillment for IdP Browser SSO
  • Reviewing the authentication source mapping
  • Reviewing the SSO token creation summary
  • Configuring protocol settings
  • Setting Assertion Consumer Service URLs (SAML)
  • Setting a default target URL (SAML 1.x)
  • Specifying the WS-Trust version
  • Defining a service URL (WS-Federation)
  • Specifying SLO service URLs (SAML 2.0)
  • Choosing allowable SAML bindings (SAML 2.0)
  • Setting an artifact lifetime (SAML)
  • Specifying artifact resolver locations (SAML 2.0)
  • Defining signature policy (SAML)
  • Configuring XML encryption policy (SAML 2.0)
  • Reviewing protocol settings
  • Reviewing browser-based SSO settings
  • Configuring the Attribute Query profile in an SP connection
  • Defining retrievable attributes
  • Configuring attribute lookup
  • Choosing a datastore for Attribute Query
  • Configuring mapping fulfillment for Attribute Query
  • Defining issuance criteria for Attribute Query
  • Specifying security policy
  • Reviewing the Attribute Query configuration
  • Configuring credentials
  • Configuring back-channel authentication (SAML)
  • Configuring authentication requirements for outbound messages
  • Configuring authentication requirements for inbound messages
  • Configuring digital signatures for service provider connections
  • Configuring signature verification settings (SAML 2.0)
  • Selecting an encryption certificate
  • Selecting a decryption key (SAML 2.0)
  • Reviewing SP credential settings
  • Configuring outbound provisioning
  • Defining a provisioning target
  • Specifying custom SCIM attributes
  • Managing channels
  • Specifying channel information
  • Identifying the source datastore
  • Modifying source settings
  • Specifying a source location
  • Mapping attributes
  • Specifying mapping details
  • Defining mapping information for a standard attribute
  • Defining mapping information for a custom attribute
  • Reviewing channel settings
  • Reviewing SP connection settings
  • SP affiliations
  • Managing SP affiliations
  • Importing affiliation metadata
  • Entering affiliation information
  • Managing affiliation membership
  • Reviewing an SP affiliation
  • OAuth configuration
  • Configuring OAuth use cases
  • Configuring authorization server settings
  • External consent user interface
  • Scopes and scope management
  • Defining scopes
  • Adding virtual issuers for OpenID Connect
  • Configuring client settings
  • Configuring dynamic client registration settings
  • Supported client metadata
  • Configuring scope constraints
  • Managing client configuration defaults
  • Selecting client registration policies
  • Reviewing client settings
  • Managing Client Registration Policy instances
  • Configuring a Client Registration Policy instance
  • Configuring a Response Type Constraints instance
  • Managing OAuth clients
  • Configuring OAuth clients
  • Grant contract mapping
  • Managing IdP adapter grant mapping
  • Configuring IdP adapter attribute sources and user lookup
  • Fulfilling IdP adapter grant mapping
  • Defining issuance criteria for OAuth IdP adapter mapping
  • Reviewing the IdP adapter mapping
  • Configuring IdP connection grant mapping
  • Choosing an OAuth datastore
  • Fulfilling OAuth attribute mapping
  • Defining issuance criteria for OAuth attribute mapping
  • Reviewing the OAuth attribute mapping summary
  • Managing authentication policy contract grant mapping
  • Configuring policy contract attribute sources and user lookup
  • Fulfilling policy contract grant mapping
  • Defining issuance criteria for policy contract mapping
  • Reviewing authentication policy contract mapping
  • Managing resource owner credentials grant mapping
  • Configuring resource owner attribute sources and user lookup
  • Fulfilling resource owner credentials grant mapping
  • Defining issuance criteria for resource-owner credentials mapping
  • Reviewing the resource owner credentials mapping
  • Token mapping
  • Access token management
  • Managing access token management instances
  • Defining an access token management instance
  • Configuring an access token management instance
  • Managing session validation settings
  • Defining the access token attribute contract
  • Managing resource URIs
  • Defining access control
  • Reviewing the access token management configuration
  • Managing access token mappings
  • Configuring access token attribute sources and user lookup
  • Configuring access token fulfillment
  • Defining issuance criteria for access token mapping
  • Reviewing the access token mapping
  • Configuring an OAuth assertion grant IdP connection
  • Defining an attribute contract for the OAuth assertion grant
  • Configuring access token manager mappings
  • Selecting an access token manager instance
  • Configuring a datastore for OAuth assertion grant attribute mapping
  • Configuring OAuth assertion grant contract fulfillment
  • Defining issuance criteria for OAuth assertion grants
  • Reviewing OAuth assertion grant attribute mapping configuration
  • Reviewing OAuth assertion grant configuration
  • Configuring OpenID Connect policies
  • Configuring policy and ID token settings
  • Configuring the policy attribute contract
  • Configuring attribute scopes
  • Configuring policy attribute sources and user lookup
  • Configuring ID token fulfillment
  • Defining issuance criteria for policy mapping
  • Reviewing your OpenID Connect policy
  • Client Initiated Backchannel Authentication (CIBA)
  • Managing CIBA authenticators
  • Configuring a CIBA authenticator instance
  • Managing CIBA request policies
  • Defining a request policy
  • Configuring identity hint contract
  • Configuring identity hint contract fulfillment
  • Configuring attribute sources and user lookup
  • Fulfilling identity hint contract
  • Defining issuance criteria for identity hint contract
  • Reviewing identity hint contract fulfillment
  • Configuring attribute sources and user lookup for request policy contract
  • Configuring request policy contract fulfillment
  • Defining issuance criteria for CIBA request policy
  • Reviewing your CIBA request policy
  • OAuth attribute mapping using a datastore
  • OAuth client session management
  • Asynchronous Front-Channel Logout
  • Back-Channel Session Revocation
  • OAuth token exchange
  • Configuring OAuth token exchange
  • Defining token exchange processor policies
  • Creating token exchange generator groups
  • Mapping token exchange attributes to token generator attributes
  • Mapping token exchange attributes to access token manager attributes
  • Enabling token exchange in OAuth clients
  • OAuth rich authorization requests
  • Configuring support for OAuth rich authorization requests
  • Configuring authorization detail processors
  • Configuring authorization detail types
  • Security management
  • Certificate and key management
  • Manage trusted certificate authorities
  • Importing trusted certificate authorities
  • Exporting trusted certificate authorities
  • Reviewing trusted certificate authorities
  • Removing trusted certificate authorities
  • Manage SSL server certificates
  • Creating a new certificate
  • Importing a certificate and its private key
  • Creating a certificate-authority signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting a certificate
  • Reviewing a certificate
  • Activating or deactivating a certificate
  • Removing a certificate
  • Manage SSL client keys and certificates
  • Creating new certificates
  • Importing certificates and their private keys
  • Creating a certificate signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting certificates
  • Reviewing certificates
  • Removing certificates
  • Manage digital signing certificates and decryption keys
  • Certificate rotation
  • Connection and federation metadata
  • Managing certificate rotation settings
  • Managed SP connection to PingOne for Enterprise and signing certificate
  • Creating new certificates
  • Importing certificates and their private keys
  • Creating a certificate signing request (CSR)
  • Importing a certificate-authority response (CSR response)
  • Exporting certificates
  • Reviewing certificates
  • Reviewing a certificate's usage
  • Removing certificates
  • Keys for OAuth and OpenID Connect
  • Configuring static signing keys
  • Configuring static decryption keys
  • Mapping ID token signing keys to virtual issuers
  • Managing certificates from partners
  • Signature verification
  • Encryption
  • Back-channel authentication
  • Configuring certificate revocation
  • Transitioning to an HSM
  • Manage Partner metadata URLs
  • Adding a new metadata URL
  • Updating an existing metadata URL
  • Reviewing a metadata URL usage
  • Removing a metadata URL
  • Rotating system keys
  • Managing configuration encryption keys
  • Rotating configuration encryption keys
  • Re-encrypting sensitive information with configuration encryption keys
  • Deleting unused configuration encryption keys
  • System integration
  • Configuring redirect validation
  • Managing partner redirect validation
  • Configuring incoming proxy settings
  • Configuring service authentication
  • Account lockout protection
  • Configuring account lockout protection
  • Password spraying prevention
  • Configuring password spraying prevention
  • Implementing a MasterKeyEncryptor using AWS KMS
  • Self-service user account management
  • Configuring self-service password management
  • Configuring self-service account recovery
  • Configuring self-service user name recovery
  • Service provider SSO configuration
  • SP application integration settings
  • Managing SP adapters
  • Creating an SP adapter instance
  • Configuring an SP adapter instance
  • Invoking SP adapter actions
  • Extending an SP adapter contract
  • Identifying the target application
  • Reviewing an SP adapter configuration
  • Configuring target URL mapping
  • Configuring Identity Store Provisioners
  • Creating an Identity Store Provisioner instance
  • Defining the Identity Store Provisioner behavior
  • Extending the Identity Store Provisioner contract
  • Extending the Identity Store Provisioner contract for groups
  • Reviewing the Identity Store Provisioner configuration
  • Configuring default URLs
  • Viewing SP application endpoints
  • Federation settings
  • Managing attribute requester mappings
  • Viewing SP protocol endpoints
  • Managing IdP connections
  • Accessing IdP connections
  • Resolving IdP connection errors
  • Choosing an IdP connection type
  • Choosing IdP connection options
  • Importing IdP metadata
  • Identifying the partner
  • Populating extended property values for IdP connections
  • Defining additional issuers
  • Configure SP Browser SSO
  • Selecting SAML profiles
  • Configuring user-session creation
  • Choosing an identity mapping method for SP SSO
  • Defining an attribute contract
  • Managing target session mappings
  • Selecting a target session
  • Overriding an SP adapter instance
  • Restricting a target session to certain virtual server IDs
  • Choosing an attribute mapping method
  • Configuring target session fulfillment
  • Defining issuance criteria for SP Browser SSO
  • Reviewing the target session mapping
  • Reviewing the session creation summary
  • Configuring protocol settings
  • Specifying SSO service URLs (SAML)
  • Specifying a service URL (WS-Federation)
  • Defining SLO service URLs (SAML 2.0)
  • Selecting allowable SAML bindings (SAML)
  • Specifying an artifact lifetime (SAML 2.0)
  • Defining artifact resolver locations (SAML)
  • Configuring OpenID Provider information
  • Configuring default target URLs
  • Overriding authentication context in an IdP connection
  • Configuring signature policy
  • Specifying XML encryption policy (for SAML 2.0)
  • Reviewing protocol settings for SP browser SSO
  • Reviewing Browser SSO settings
  • Manage the Attribute Query profile in an IdP connection
  • Setting the Attribute Authority Service URL
  • Mapping attribute names for Attribute Query
  • Configuring security policy for Attribute Query
  • Reviewing the Attribute Query settings
  • Configuring just-in-time provisioning
  • Selecting attribute sources (SAML 2.0)
  • Identifying the user repository
  • Specifying an LDAP user-record location
  • Entering an LDAP filter
  • Identifying provisioning attributes for LDAP
  • Choosing a SQL method
  • Specifying a database user-record location
  • Specifying a unique ID database column
  • Specifying a stored procedure location
  • Mapping attributes to a user account
  • Choosing an event trigger
  • Configuring an error handling method
  • Reviewing the JIT provisioning configuration
  • Configuring SCIM inbound provisioning
  • Specifying the user repository
  • Identifying an LDAP user-record location
  • Defining a unique user ID
  • Defining a unique group ID
  • Defining custom SCIM attributes
  • Configuring custom SCIM attribute options
  • Writing user information to the datastore
  • Identifying inbound provisioning attributes for LDAP
  • Mapping attributes to user accounts
  • Reviewing user mapping (Write Users) configuration
  • Configuring a SCIM response
  • Identifying expected user attributes for the SCIM response
  • Identifying LDAP attributes for the SCIM response
  • Mapping attributes into the SCIM response
  • Reviewing SCIM response (Read Users) configuration
  • Configuring the handling of SCIM delete requests
  • Writing group information to the datastore
  • Identifying inbound provisioning group attributes for LDAP
  • Mapping attributes to groups
  • Reviewing group mapping (Write Groups) configuration
  • Configuring a SCIM response for groups
  • Identifying expected group attributes for the SCIM response
  • Identifying LDAP group attributes for the SCIM response
  • Mapping group attributes into SCIM response
  • Reviewing SCIM response for groups (Read Groups) configuration
  • Reviewing the inbound provisioning configuration
  • Configuring security credentials
  • IdP connection management
  • Configuring back-channel authentication for outbound messages
  • Configuring back-channel authentication for inbound messages
  • Configuring digital signatures for identity provider connections
  • Managing signature verification settings
  • Choosing an encryption certificate (SAML 2.0)
  • Choosing a decryption key (SAML 2.0)
  • Reviewing IdP credential settings
  • Reviewing an IdP connection
  • OpenID Connect Relying Party support
  • Creating an OpenID Connect IdP connection
  • Configuring request parameters and SSO URLs
  • Query parameters versus request object
  • Configuring IdP discovery using a persistent cookie
  • System administration
  • Configuring PingFederate properties
  • Configuring size limits
  • PingFederate log files
  • Log4j 2 logging service and configuration
  • HTTP request logging
  • Administrator audit logging
  • API audit logging
  • Administrative API audit log
  • Runtime APIs audit log
  • Runtime transaction logging
  • Security audit logging
  • Outbound provisioning audit logging
  • Server logging
  • Server log filter
  • Logging in other formats
  • Writing logs to databases
  • Logging in Common Event Format
  • Writing audit log in CEF
  • Writing provisioner audit log in CEF
  • Writing audit logs for Splunk
  • Alternative console authentication
  • Enabling OIDC-based authentication
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Multi-factor console authentication using PingID
  • Solution overview
  • Configuring your PingID account
  • Creating an LDAP Username Password Credential Validator instance
  • Configuring a PingID Password Credential Validator instance
  • Configuring PingFederate to use RADIUS authentication
  • Verifying your setup
  • Enabling certificate-based authentication
  • Configuring automatic connection validation
  • Automating configuration migration
  • Copying the key from the source to the target server
  • Administrative console migration
  • Using the migration tool
  • Outbound provisioning CLI
  • Customizable user-facing pages
  • IdP user-facing pages
  • SP user-facing pages
  • Either IdP or SP user-facing pages
  • OAuth user-facing pages
  • Customizable email notifications
  • Local administrative account management events
  • Certificate events
  • SAML metadata update events
  • Licensing events
  • HTML Form Adapter events
  • Customizable text message
  • Localizing messages for end users
  • Locale overrides by cookies
  • Retrieval of localized messages
  • Configuring a password policy
  • Managing cipher suites
  • Manage externally stored authentication sessions
  • Managing authentication sessions stored in the database
  • Managing authentication sessions stored in PingDirectory
  • OAuth persistent grants cleanup
  • Managing expired persistent grants
  • Managing expired persistent grants in PingDirectory
  • Managing cleanup of persistent grants
  • Specifying the domain of the PF cookie
  • Specifying the domain of the PF.PERSISTENT cookie
  • Extending the lifetime of the PingFederate cookie
  • Configuring forward proxy server settings
  • Adding custom HTTP response headers
  • Configuring validation for the AudienceRestriction element
  • Customizing the OpenID Provider configuration endpoint response
  • Customizing the heartbeat message
  • Customizing the favicon for application and protocol endpoints
  • Configuring the behavior of searching multiple datastores with one mapping
  • System settings
  • Server
  • Protocol settings
  • Specifying federation information
  • Configuring WS-Trust settings
  • Configuring outbound provisioning settings
  • Configuring standard IdP Discovery
  • Reviewing protocol settings
  • Administrative accounts
  • Enabling native authentication for the administrative console
  • Managing local accounts and role assignments
  • Enabling notification messages for account management events
  • Setting or resetting passwords
  • Changing passwords
  • Configuring OIDC SSO to PingFederate from an external IdP
  • Mapping the policy contract for grant fulfillment
  • Configuring an access token manager
  • Configuring access token mapping
  • Creating the OIDC policy
  • Creating the client
  • Creating an OAuth Set Authentication selector
  • Creating an authentication policy
  • Exporting the signing certificate
  • Importing the certificate to trusted CAs
  • Configuring properties files
  • License management
  • Reviewing license information
  • Requesting a new license key
  • Installing a license key on a new or upgraded PingFederate server
  • Installing a replacement license key
  • Configuring notification for licensing events
  • Configuration archive
  • Configuring a backup schedule
  • Exporting an archive
  • Importing and deploying administrative console configuration data
  • Cluster management
  • Replicating configurations
  • Virtual host names
  • Configuring virtual host names
  • Extended properties
  • Defining extended properties
  • Log settings
  • Removing the Log Settings window
  • General settings
  • Metadata
  • Metadata settings
  • Entering system information
  • Configuring metadata signing
  • Configuring metadata lifetime
  • Reviewing metadata settings
  • Metadata export
  • Exporting connection-specific SAML metadata
  • Exporting selected SAML metadata
  • File signing
  • Signing XML files
  • Monitoring and notifications
  • Runtime notifications
  • Configuring runtime notifications
  • Datastores
  • Adding a new datastore
  • Configuring a PingOne LDAP Gateway datastore
  • Configuring a JDBC connection
  • Configuring an LDAP connection
  • Setting advanced LDAP options
  • Proxied authorization
  • Allowing PingFederate to unlock PingDirectory accounts
  • Configuring the password validation details request control ACI
  • Defining a custom LDAP type for outbound provisioning
  • Configuring other types of datastores
  • Configuring a REST API datastore
  • Configuring a custom datastore
  • Defining a datastore for persistent authentication sessions
  • Configuring an external database for authentication sessions
  • Configuring PingDirectory for authentication sessions
  • Configuring an Amazon DynamoDB for persistent authentication sessions
  • Using custom solutions for persistent session storage
  • OAuth grant datastores
  • Configuring external databases for grant storage
  • Configuring directories for grant storage
  • Indexing grant attributes in PingDirectory
  • Using custom solutions for grant storage
  • Configuring an Amazon Dynamo database for persistent grants
  • OAuth client datastores
  • Configuring external databases for client storage
  • Configuring directories for client storage
  • Indexing client attributes in PingDirectory
  • Using custom solutions for client storage
  • Account-linking datastores
  • Configuring external databases for account-link storage
  • Configuring directories for account-link storage
  • Password Credential Validators
  • Choosing a Password Credential Validator
  • Password Credential Validator instance configurations
  • Configuring the LDAP Username Password Credential Validator
  • Configuring the PingOne for Enterprise Directory Password Credential Validator
  • Configuring the RADIUS Username Password Credential Validator
  • Configuring the Simple Username Password Credential Validator
  • Extending the contract for the credential validator
  • Finishing the Password Credential Validator instance configuration
  • Active Directory and Kerberos
  • Configuring Active Directory domains or Kerberos realms
  • Multiple-domain support
  • Configuring the Active Directory environment
  • Adding Active Directory domains and Kerberos realms
  • Managing domain connectivity settings
  • External systems
  • Connections to PingOne
  • Creating connections to PingOne
  • Modifying connections to PingOne
  • Editing connection names and descriptions
  • Disabling and enabling connections
  • Replacing connection credentials
  • Modifying which environments connections can access
  • Connections to PingOne for Enterprise
  • Configuring identity repository settings
  • Use Cases
  • Configuring the RADIUS server to integrate PingID with your VPN
  • Configuring provisioning to PingID
  • Reviewing the PingID VPN (RADIUS) configuration
  • Confirmation
  • Complete
  • Managing PingOne for Enterprise settings
  • Configuring PingOne for Enterprise settings
  • Configuring PingOne for Enterprise SSO settings
  • Enabling and configuring the built-in RADIUS server to integrate PingID with your VPN
  • Configuring SSO from the PingOne for Enterprise admin portal to the PingFederate administrative console
  • Monitoring PingFederate from the PingOne for Enterprise admin portal
  • Updating the PingOne for Enterprise identity repository
  • Managing CAPTCHA providers
  • Managing SMS provider settings
  • Managing notification publisher instances
  • Defining a notification publisher instance
  • Notification publisher instance configurations
  • Configuring an Amazon SNS Notification Publisher instance
  • Event types and variables
  • Configuring an SMTP Notification Publisher instance
  • Finalizing actions for a notification publisher instance
  • Reviewing a notification publisher instance configuration
  • Secret managers
  • Integrating with the CyberArk Credential Provider
  • CyberArk's authentication methods
  • Configuring instances of the secret manager plugin for the CyberArk Credential Provider
  • Using passwords in secret managers to access datastores
  • Troubleshooting
  • Enabling console logging
  • Resolving startup issues
  • Troubleshooting data store issues
  • Resolving URL-related errors
  • Resolving service-related errors
  • Troubleshooting authentication policy issues
  • Troubleshooting registration and profile management issues
  • Troubleshooting runtime errors
  • Activating tracking ID in templates
  • Correlating log messages by PF cookie
  • Correlating log messages by tracking ID
  • Correlating PingFederate events with PingDirectory LDAP activities
  • Troubleshooting OAuth transactions
  • Reviewing an OAuth request and various OAuth settings
  • Other runtime issues
  • Collecting support data
  • WS-Trust STS configuration
  • Server settings
  • Enabling the WS-Trust protocol
  • Configuring STS authentication
  • Identity provider STS configuration
  • Managing token processors
  • Selecting a token processor type
  • Configuring a token processor instance
  • Configuring a Username Token Processor instance
  • Configuring a Kerberos Token Processor instance
  • Configuring an OAuth Token Processor instance
  • Configuring a JSON Web Token Processor instance
  • Configuring a SAML Token Processor instance
  • Extending a token processor contract
  • Setting attribute masking
  • Reviewing the token processor configuration
  • Managing STS request parameters
  • Creating a request contract
  • Configuring SP connections for STS
  • Configuring protocol settings for IdP STS
  • Setting a token lifetime
  • Configuring token creation
  • Defining an attribute contract for IdP STS
  • Selecting a request contract
  • Managing IdP token processor mappings
  • Selecting a token processor instance
  • Overriding a token processor instance
  • Restricting a token processor to certain virtual server IDs
  • Selecting an attribute retrieval method for token creation
  • Configuring attribute sources and user lookup for token creation
  • Configuring contract fulfillment for token creation
  • Defining issuance criteria for token creation
  • Reviewing the IdP token processor mapping
  • Selecting a request error handling method
  • Reviewing the token creation configuration
  • Reviewing the IdP STS settings
  • Service provider STS configuration
  • Managing token generators
  • Selecting a token generator type
  • Configuring a token generator instance
  • Extending a token generator contract
  • Reviewing the token generator configuration
  • Configuring IdP connections for STS
  • Configuring protocol settings for SP STS
  • Configuring token generation
  • Defining an attribute contract for SP STS
  • Managing SP token generator mappings
  • Selecting a token generator instance
  • Overriding a token generator instance
  • Restricting a token generator to certain virtual server IDs
  • Selecting an attribute retrieval method for token generation
  • Configuring contract fulfillment for token generation
  • Defining issuance criteria for token generation
  • Reviewing the SP token generator mapping
  • Reviewing the token generation configuration
  • Reviewing the SP STS configuration
  • Performance Tuning Guide
  • Logging
  • Operating system tuning
  • Linux tuning
  • Windows tuning
  • Concurrency
  • Tuning the acceptor queue size
  • Tuning the server thread pool
  • Configuring connection pools to datastores
  • Snapshot isolation for high-volume transactions
  • Memory
  • JVM heap
  • The memoryoptions utility
  • memoryoptions and installation
  • memoryoptions and upgrade
  • Restoring the preserved JVM options
  • Fine-tuning JVM options
  • Hardware security modules
  • Configuration at scale
  • References
  • PingFederate Monitoring Guide
  • Resource metrics
  • Runtime monitoring using JMX
  • Connecting with JMX
  • Connecting to a local process
  • Connecting to a remote process
  • Liveliness and responsiveness
  • Monitoring
  • Thread pool
  • Logging, reporting, and troubleshooting
  • Creating an error-only server log
  • Splunk dashboards and audit logs
  • SDK Developer's Guide
  • SDK directory structure
  • Developing your own plugin
  • Implementation guidelines
  • Shared plugin interfaces
  • Developing IdP adapters
  • Developing authentication API-capable adapters and selectors
  • Authentication API states, actions, and models
  • Specification of the plugin API
  • State model example
  • Action model example
  • AuthnStateSpec and AuthnActionSpec objects
  • Error specifications
  • State model contents
  • Non-interactive plugins
  • Runtime behavior implementation
  • Checking for actions
  • Extracting models from requests
  • Performing additional validation
  • Handling invalid action IDs
  • Handling authentication error exceptions
  • Sending API responses
  • Returning authentication statuses
  • Session state management
  • Error messages and localization
  • Developing SP adapters
  • Developing token processors
  • Developing token generators
  • Developing authentication selectors
  • Developing data source connectors
  • Developing password credential validators
  • Developing identity store provisioners
  • IdentityStoreProvisionerWithFiltering interface implementation
  • IdentityStoreUserProvisioner interface implementation
  • Developing notification publishers
  • Building and deploying with Ant
  • Building and deploying manually
  • Log messages
  • Developer's Reference Guide
  • OAuth 2.0 endpoints
  • Authorization endpoint
  • Client-initiated backchannel authentication endpoint
  • Token endpoint
  • OAuth grant type parameters
  • Introspection endpoint
  • Token revocation endpoint
  • Grant-management endpoint
  • Dynamic client registration endpoint
  • Device authorization endpoint
  • User authorization endpoint
  • OpenID Provider configuration endpoint
  • OAuth authorization server metadata endpoint
  • UserInfo endpoint
  • Pushed authorization requests endpoint
  • OAuth Playground
  • Web service interfaces and APIs
  • Connection Management Service
  • Exporting a connection
  • Importing connections
  • Deleting connections
  • Cluster configuration replication
  • Validation disclaimer
  • SSO Directory Service
  • Coding example
  • SOAP request and response examples
  • OAuth Client Management Service
  • OAuth Access Grant Management Service
  • OAuth Persistent Grant Management API
  • Session Management API by session identifiers
  • Session Management API by user identifiers
  • Session Revocation API endpoint
  • PingFederate administrative API
  • Configure access to the administrative API
  • Enabling native authentication for the administrative API
  • Enabling LDAP authentication
  • Enabling RADIUS authentication
  • Enabling certificate-based authentication
  • Enabling OAuth 2.0 authorization
  • Accessing the API interactive documentation
  • Application endpoints
  • IdP endpoints
  • SP endpoints
  • SP services
  • SCIM inbound provisioning endpoints
  • System-services endpoints
  • Constructing an alternative metadata exchange endpoint
  • Authentication API
  • Exploring the authentication API
  • Mobile application authentication through REST APIs
  • Device authorization through mobile applications
Page created: 5 Jul 2022 |
Page updated: 5 Jul 2022
| 2 min read

Guide Administrator Guide Content Type Product documentation 11.2 Capability Single Sign-on (SSO) Deployment Method Software Audience Administrator System Administrator Product PingFederate

Basic troubleshooting tips are provided here to help you overcome common difficulties with PingFederate.

  • Enabling debug messages and console logging
  • Resolving startup issues
  • Troubleshooting data store issues
  • Resolving URL-related errors
  • Resolving service-related errors
  • Troubleshooting authentication policy issues
  • Troubleshooting registration and profile management issues
  • Troubleshooting runtime errors
  • Troubleshooting OAuth transactions
  • Other runtime issues
  • Collecting support data

Help is also available from the Support Center.

Back to home page