On the Authentication Source Mapping tab, you can map identity provider (IdP) adapters and authentication policies to authenticate users to your service provider (SP).
IdP adapters are responsible for handling user authentication as part of an single sign-on (SSO) operation. A configured adapter in PingFederate is known as an adapter instance.
In a basic scenario, you map an IdP adapter instance to a SP connection on the Authentication Source Mapping tab and complete its mapping configuration through a series of sub tasks. When a user starts an SSO request, the corresponding IdP adapter is triggered to authenticate the user. Upon successful authentication, PingFederate creates and sends an SSO token to the SP based on the connection settings. As needed, you can map multiple IdP adapter instances to an SP connection, the same IdP adapter instance to multiple SP connections, or a combination of them.
If you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can map the APC to your connection. Like IdP adapter instances, you can map multiple APCs to an SP connection, the same APC to multiple SP connections, or a combination of them.
For more information about authentication policies and contracts, see Authentication policies.
You can also map one or more APCs to an SP connection to bridge a service provider to one or more identity providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this SP connection with the applicable IdP connections to the identity providers. Each APC has its own set of attributes which you map values to the SSO tokens.
For more information about the federation hub, see Federation hub use cases.
Regardless of how many IdP adapter instances and APCs are mapped to an SP connection, PingFederate uses only one adapter instance or policy path to authenticate a user. You can leave the decision to the users or create authentication policies to mandate authentication requirements. Because each adapter instance or APC could return different user attributes, each mapping must define how the attribute contract is fulfilled in its mapping configuration.