PingFederate provides an IdP-to-SP Adapter Mapping option on the Main Menu for special IdP use cases requiring PingFederate to act also as an SP on behalf of the actual SP partner. This mapping allows authentication credentials to be directly mapped to create an SP authenticated session or security context. In these cases, the special mapping eliminates the need to create complete SP and IdP connections in a loopback configuration for sending SAML messages back and forth to the same PingFederate server.

This section provides specific instructions for configuring this mapping to enable the Google Apps Password Manager. (For more information, see Adapter-to-adapter mappings in the PingFederate documentation.)

  1. Ensure that PingFederate is configured to act as both an IdP and an SP, with applicable adapter instances defined on both sides (see the previous sections).
  2. On the PingFederate Main Menu under System Settings, click IdP-to-SP Adapter Mapping.
  3. On the Manage Mappings screen, select the Source and Target Instance for the IdP and SP Adapter Instances, respectively.
    Important: The Target Instance must be for the OpenToken Adapter (see SP Adapter Setup).
  4. Click Add Mapping.
  5. On the Data Store screen, click Next.

    Data-store lookup is not required for this application.

  6. On the Adapter Contract Fulfillment screen, for subject, choose Adapter from the Source drop-down list and map the attribute to the subject ID coming from the IdP Adapter.
  7. Click Done and then Save on the Manage Mappings screen.