To selectively perform client certification authentication on behalf of PingFederate, configure a front-end proxy or load balancer.
By configuring proxy client authentication, TLS is terminated at the proxy, and the headers are passed back to PingFederate for validation by the X.509 Certificate IdP Adapter. This approach also allows you to have all traffic arrive on TCP port 443.
For guidance on configuring proxy client authentication, see the following documentation for your product:
- Configure incoming proxy settings in the PingFederate documentation
- Creating header identity mappings and Defining engine listeners in the PingAccess documentation