Managing target session mappings - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

You can map a service provider (SP) adapter instance to an identity provider (IdP) connection and complete its mapping configuration through a series of sub tasks.

When PingFederate receives an SSO token, the corresponding SP adapter is triggered to fulfill its adapter contract based on the connection settings for the purpose of completing the "last-mile" integration with your application. As needed, you can map multiple SP adapter instances to an IdP connection, the same SP adapter instance to multiple IdP connections, or a combination of them.

Alternatively, if you use authentication policies to route users through a series of authentication sources and end each successful policy path with an authentication policy contract (APC), you can skip the mapping of an APC to an IdP connection and configure an APC-to-SP adapter instance mapping configuration.

Tip:

To learn more about authentication policies, see Authentication policies.

Furthermore, you can map one or more APCs to an IdP connection to bridge an identity provider to one or more service providers. In this scenario, PingFederate is a federation hub for both sides. PingFederate uses APCs to associate this IdP connection with the applicable SP connections to the service providers; each APC has its own set of attributes to which you can map values from the SSO tokens.

Tip:

To learn more about federation hub, see Federation hub use cases.

On the Target Session Mapping tab, if presented, you must associate at least one target session, an SP adapter instance or an authentication policy contract, with an IdP connection. If you have multiple integration requirements, for example, if you are using more than one IdM system or an application not covered by a centralized system, multiple SP adapter instances. If you are bridging an identity provider to multiple service providers, map multiple authentication policy contracts.

The Target Session Mapping configuration does not apply when the No Mapping option is selected on the Identity Mapping tab.

On the Target Session Mapping tab:
ChoiceAction
Map an SP adapter instance Click Map New Adapter Instance.
Map an APC Click Map New Authentication Policy.
Edit the mapping configuration of an SP adapter instance or APC Open it by clicking on its name, select the setting that you want to reconfigure, and complete the change.
Remove an SP adapter or APC or cancel the removal request Click Delete followed by Save or Undelete.
If you are creating a new connection and you are finished with mapping the required target sessions Click Done.
If you are editing an existing configuration and want to keep your changes Click Save.

When target sessions are restricted to certain virtual server IDs, the allowed IDs are displayed under Virtual Server IDs.

Note:

If you configure multiple target sessions for a connection, PingFederate selects the applicable adapter instance or authentication policy contract at runtime based on the target resource information in the requests and your configuration For more information, see Configuring target URL mapping.