Use Cases

Configuring an Active Directory datastore for PingFederate

In PingFederate, establish an Active Directory datastore connection for retrieving user attributes for outbound connections.

Component

PingFederate 10.1

Processing steps

Almost every customer using PingFederate as an identity provider (IdP) has at least one connection to a datastore. A datastore connection allows PingFederate to retrieve user attributes for outbound connections. Active Directory is the most common data source used to connect to PingFederate.

An illustration of a 3-step user-initiated single sign-on (SSO) when is the identity provider and has a datastore connection.

  1. The user initiates single sign-on (SSO) and activates PingFederate.

  2. The user enters credentials in the htmlForm page. PingFederate query’s the connected datastore for authentication.

  3. A SAML assertion is sent to the service provider containing the select attributes for SSO.

Configuring an Active Directory datastore

In PingFederate, configure a datastore connection to allow PingFederate, the identity provider (IdP), to retrieve user attributes for outbound connections.

Before you begin

Your administrator account associated with Active Directory must be configured in the directory and have read permissions to the organizational unit where user attribute searches are done.

About this task

This topic details specific tasks for configuring an Active Directory datastore connection. For more comprehensive information and instructions, see Datastores in the PingFederate Server documentation.

Steps

  1. From the PingFederate admin console, go to System → Data Stores. Click Add a New Data Store.

    Result:

    The Data Store window configuration opens.

  2. On the Data Store Type tab:

    1. In the Name field, enter a name.

    2. From the Type list, select Directory (LDAP).

    3. Click Next.

  3. On the LDAP Configuration tab:

    1. In the Hostname(s) field, enter the hostname for the configuration. Click Add.

      This is the hostname of the domain controller.

      The Hostname(s) field entry can rely on network naming to route to the closest domain controller. For example, pingdemo.com resolves to dc1.pingdemo.com.

      Alternatively, you can define domain controllers explicitly, separated by a space. For example, dc1.pingdemo.com dc2.pingdemo.com. This creates a failover to each domain controller. If it does not find the user in the first directory, it then queries the second and so on.

    2. In the User DN field, enter the distinguished name (DN).

      This is used as the domain name of the service account used to query the directory.

    3. In the Password field, enter a password.

      This is the password of the service account.

    4. Select the Use DNS SRV Record check box.

      SRV records are not required for this configuration, but you can use them.

    5. Choose whether to enable the Use LDAPS check box.

      • Select the Use LDAPS check box.

        The configuration assumes port 636 if the LDAPS option is selected.

      • Clear the Use LDAPS check box.

        The configuration assumes port 389 if the LDAPS option is cleared.

        If you are running your directory on another port, you must state this in the Hostname(s) field as shown in the image below, and have the Active Directory public certificate uploaded in your trusted keystore. In following image, notice port 1389 is specified in the Hostname(s) field.

        A screen capture of the Data Store window and LDAP Configuration tab in . The LDAP Configuration tab contains multiple configuration fields for the user to edit. The following fields and their entries are displayed: Hostname(s) with cjmuir-r:1389 and selected as the default, another row of Hostname(s) with Email address, a cleared Use LDAPS check box, a cleared Use DNS SRV Record check box, the Load Type list with the option selected, a cleared Bind Anonymously check box, the User DN field with cn=Directory Manager entered, the Password field with a hidden entry, and cjmuir-r:1389 selected from the connection list, and the Test Connection button displayed.

    6. Click Next.

    7. On the Summary tab, click Save.

      Result:

      The Data Store configuration window closes. You are directed back to the Data Stores window where you can manage all your datastore connections.