Use Cases

Setting up Kerberos authentication in PingFederate

Set up a Kerberos authentication adapter in PingFederate for a seamless user authentication experience from a Windows machine to your applications.

This allows your user to access connected applications in PingFederate seamlessly from a domain-joined Windows machine without being prompted for additional authentication credentials. For more information on PingFederate, see Introduction to PingFederate.

Component

PingFederate 10.1

Configuring the Active Directory domain/Kerberos realm

Configure an Active Directory (AD) domain/Kerberos realm in PingFederate.

Steps

  1. In the PingFederate administrative console, go to System → Data & Credential Stores → Active Directory Domains/Kerberos Realms.

  2. Click Add Domain/Realm.

  3. In the Domain/Realm Name, Domain/Realm Username, and Domain/Realm Password fields, enter the appropriate information.

    Screen capture of the Active Directory Domains/Kerberos Realms Manage Domain/Realm window showing the required Domain/Realm Name, Domain/Realm Username, and Domain/Realm Password fields.
  4. Click Test Domain/Realm Connectivity to ensure you can establish a connection, and then click Done.

  5. On the Manage Domain/Realms tab, click Next.

    Screen capture of the Manage Domains/Realms tab.
  6. On the Manage Domains/Realm Settings tab specify settings, such as enforcing TCP, providing debug log outputs, and the domain controller timeouts and retries.

    Screen capture of the Manage Domain/Realm Settings tab showing the optional check boxes for Force TCP and Debug Log Output. It also shows the optional AD Domain Controller/Key Distribution Center Timeout and Ad Domain Controller/Key Distribution Center Retries fields.
  7. Click Save.

Configuring the IdP adapter

Configure a new Kerberos adapter instance in PingFederate.

Before you begin

  • Ensure you have an AD domain configured as a datastore in PingFederate that can be used to validate Kerberos tickets.

  • Create a user in Active Directory (AD) that can read from the directory.

Steps

  1. In the PingFederate administrative console, go to Authentication → IdP Adapters.

    Screen capture of the Authentication window showing the IdP Adapters option as the second option in the first row.
  2. Click Create New Instance.

  3. On the Type tab, in the Instance Name and Instance ID fields, enter a name and ID.

  4. From the Type list, select Kerberos Adapter, and then click Next.

    Screen capture of the Type tab showing the Instance Name, Instance ID, type and Parent Instance fields.
  5. On the IdP Adapter tab, select the Domain/Realm Name you used when adding AD as a datastore.

  6. Click Manage Active Directory Domains/Kerberos Realms

    Screen capture of the IdP Adapter tab showing the Domain/Realm Name and Error URL redirect fields.
  7. In the Manage Domain/Realm window, in the Domain/Realm Name, Domain/Realm Username, and Domain/Realm Password fields, enter the information from your AD environment.

    Screen capture of the Manage Domain/Realm window showing the domain/Realm Name, Domain/Realm Username, Domain/Realm Password fields. Below those are the options for Domain Controller/Key Distributions Center Host Names.
  8. Click Test Domain/Realm Connectivity to test your connection, then click Done.

  9. On the IdP Adapter tab, click Next.

  10. On the Extended Contract tab, click Next.

  11. On the Adapter Attributes tab, select the Username Pseudonym check box . Click Next.

    Screen capture of the Adapter Attributes tab showing check boxes for the option to use Pseudonyms or Mask Log Values for each attribute.
  12. On the Adapter Contact Mapping tab, click Next.

  13. On the Summary tab, review your entries. Click Save.