1. Sign on to the PingFederate administrative console.
  2. On the Identity Provider > Manage IdP Adapter Instances screen, click Create New Instance.
  3. On the Type screen, set the basic adapter instance attributes.
    1. In the Instance Name field, enter a name for the adapter instance.
    2. In the Instance ID field, enter a unique identifier for the adapter instance.
    3. In the Type list, select X.509 Certificate IdP Adapter. Click Next.
  4. Optional: On the IdP Adapter screen, in the Constrain Acceptable Root Issuers section, specify the certificate authority (CA) that you want to use to validate end-user X.509 certificates.

    Client certificates are always validated against all trusted CAs in PingFederate and the Java Virtual Machine (JVM). This section only restricts which issuers are used to validate end-user certificates.

    1. Click Add a new row to 'Constrain Acceptable Root Issuers'.
    2. In the Issuer DN field, enter the subject distinguished name (DN) of an issuer listed on the Trusted CAs screen in PingFederate.

      For more information, see Manage trusted certificate authorities in the PingFederate documentation.

    3. In the Action column, click Update.
    4. To add more acceptable issuers, repeat steps a-c.
  5. On the IdP Adapter screen, configure the adapter instance by referring to X.509 Certificate IdP Adapter settings reference. Click Next.
  6. On the Extended Contract screen, add any attributes, that you want to include in the extended contract. Enter attributes in uppercase. Only attributes specified in RFC 2253 are allowed: CN, L, ST, O, OU, C, STREET, DC, and UID.

    You can include subject DN components in this list.

    If you selected Parse Client Cert Subject and Issuer DNs on the IdP Adapter screen, you can also include the subject DN email component, as well as issuer DN components.

    For issuer DN components, prefix the attribute with issuer_, such as issuer_CN.
  7. Complete the adapter configuration.
  8. On the Summary screen, check that the configuration is correct. Click Done.
  9. On the Manage IdP Adapter Instances screen, click Save.
  10. If you configured the Client Auth Hostname field, in <pf_install>/pingfederate/server/default/data/config-store/session-cookie-config.xml, add your domain with a preceding period the to <c:item name="cookie-domain"></c:item>, such as <c:item name="cookie-domain">.example.com</c:item>.