Setting up an LDAPS datastore connection in PingFederate

About this task

The self-service password reset capability relies on the LDAP connection to your directory server and the Username PCV to query the required attributes for the chosen reset method.

PingFederate supports the following datastores:

PingDirectory
Microsoft Active Directory
Oracle Unified Directory
Oracle Directory Server out-of-the-box

This task covers specific configuration settings for this use case. For comprehensive instructions, see Configuring an LDAP Connection.

Steps

Go to System → Data & Credential Stores → Data Stores, and click Add New Data Store.
On the Data Store Type tab, in the Data Store Name field, enter a name for the datastore.
In the Type list, select Directory (LDAP). Click Next.

For an Active Directory (AD) datastore, you must issue a certificate from your internal certificate authority (CA) and import it. See the following substeps.
1. For an AD datastore, go to Security → Trusted CAs, and click Import.
2. On the Import Certificate tab, click Choose File and upload the relevant file. Click Next.
3. On the Summary tab, click Save.

Go to the LDAP Configuration tab:

Select the Use LDAPS check box.

PingFederate assumes port 389 when the Use LDAPS check box is cleared and assumes port 636 when this check box is selected. If you are using the default port of 636, you don’t have to specify it in the Hostname(s) field.

Screen capture of the Data Store window and on the LDAP Configuration tab. There are configuration settings for Data Store Name which as AD entered, Hostname(s) which has EC2AMAZ-IV4ESP3.pingdemo.org entered, a Use LDAPS check box which is selected to enable, a Use DNS SRV Record check box to enable, Load Type which has Active Directory set, a Bind Anonymously check box to enable, User DN which has ADAdmin entered, Password which has a protected entry, and a Mask Values in Log check box to enable.

Enter the user attributes in the User DN and Password fields.

If the Password Reset Type is PingID , the user attribute that passes to PingID/> during password reset must be the attribute that is associated with the PingID/> account in PingOne.
For an AD datastore, the default user attribute is sAMAccountName. This does not have to be the attribute you enter into the username field on the account recovery page.

Enter the attributes you want to use to query in the Search Filter field.

The Search Filter field, commonly used for Office 365 connections, allows you to enter sAMAccountName or userPrincipleName.

For example, (|(sAMAccountName=${username})(userPrincipalName=${username})).

If the Password Reset Type is PingID, use a search filter that searches with multiple attributes. You can enter either attribute into the fields, and it passes the username attribute you set in your PCV.

To see or modify this user attribute:

Go to System → Data & Credential Store → Password Credential Validators → Password Credential Validators, and select the relevant PCV instance.
On the Instance Configuration tab, edit the PingID Username Attribute field.

This is the attribute used for a PingID password reset type.

$Screen capture the LDAP configuration tab settings. There are settings for Search Filter which has (\|(sAMAccountName=${username})(userPrincipalName=${username})) entered, Scope of Search which has two options of One Level and Subtree and Subtree is clicked, a Case-Sensitive Matching check box which is selected, Display Name Attribute which has displayName entered, Mail Attribute which has mail entered, SMS Attribute, PingID Username Attribute which has userPrincipalName entered, Mail Search Filter which has mail=$(mail) entered, and Username Attribute which has sAMAccountName entered.$

Click Next.
Configure the remaining LDAP settings as needed.

For more information about the settings, see Configuring an LDAP connection and Setting advanced LDAP options.
On the Summary tab, click Save.

Use Cases

Setting up an LDAPS datastore connection in PingFederate

About this task

Steps