The Agentless Integration Kit does not require you to install special agent software in your application, but it does require your application to be modified to communicate with the PingFederate Reference ID Adapter. The following information and recommendations should guide your modifications.
Reference ID length
The reference ID is a long hexadecimal string. Length is determined by the Reference Length setting in the Reference ID Adapter instance configuration. The default length is 30 bytes.
A9C020F7CF8C21002CDC774B48A7CFE6B3ECA5FC6CCA507EE419B4432DBEach reference ID is specific to the instance of the Reference ID Adapter that issued it.
Error handling
During the attribute pickup or drop-off processes, PingFederate returns any errors as HTTP status codes. For example when an incorrect client ID or password is provided, PingFederate returns a 401 HTTP error.
If an error occurs during an authentication attempt, then the authentication form should handle the error (that is, display a message to the user) and abort the sign on process. Your application will only receive a sign-in request from a user that was authenticated by the identity provider (IdP). Failed authentications are not redirected back to the application. Any errors received during the authentication process should be handled with the assumption that the user has already completed the authentication process at the IdP.
If your application presents an invalid reference ID to PingFederate, the Reference ID Adapter returns an empty set of attributes.
Locate error screens outside the protected content. When a user receives an error during the sign-on or authorization stages, they need to be able to see the error without being sent back through the authentication process.
Timeouts
A given reference value can only be used once and expires after a set duration. This improves security by preventing "replay" attacks. The duration is determined by the Reference Duration field in the Reference ID Adapter instance configuration. The default duration is three seconds.
To prevent unexpected timeouts, make sure the clock is reasonably synchronized between the application server and the federation server. You can also adjust the value of the Reference Duration configuration setting can also be used to allow for a larger tolerance for time skew.
Session management
The IdP adapter should maintain a session for the user so that subsequent calls for authentication can re-use the existing sign-on session. This creates a single sign-on experience for the user.
The IdP adapter should honor the forceAuthn parameter to force the user to enter credentials even if the user has an existing session.
Deep linking
Deep linking (also called direct linking) is the ability to link to a page nested inside the protected content. This saves the user from having to navigate to the content from a generic landing page.
Your application receives a deep link in the TargetResource parameter. This parameter is included in the initial redirect to the sign-on URL.
When passing the TargetResource parameter, or any URL parameter, remember to URL-encode the value.
Application authorization
Authorization includes determining whether the user has access to the application and what roles the user has when they are inside the application.
Your service provider application will only receive users that have already been authenticated. Your application should perform any authorization decisions before creating an application session.
Locate error pages outside the protected content. When a user receives an error during the sign-on or authorization stages, they need to be able to see the error without being sent back through the authentication process.
Application user profile management
Your application will receive an already authenticated user from a trusted identity provider that can contain additional attributes. This authenticated identity can be used to provision new accounts into the application store or update existing user profile information.