Use Cases

Setting up a login form that validates credentials against AD in PingFederate

Configure a login form in PingFederate that validates credentials against Active Directory (AD).

After completing these steps, the HTML form adapter is ready to use in either an Authentication Policy (page 242) or an SP connection (page 398).

Component

PingFederate 10.1

Configuring the datastore

Configure a datastore in PingFederate.

Before you begin

  • Install and run PingFederate.

  • Install Active Directory (AD).

  • Ensure the AD service account has permissions in all domains in that forest to read and access user data in all domains to which the agent connects.

Steps

  1. In the PingFederate administrative console, go to System > Data & Credential Stores > Data Stores.

  2. Click Add new Data Store.

  3. On the Data Store Type tab, in the Name field, enter a name.

  4. In the Type list, select Directory (LDAP). Click Next.

    Screen capture of the Data Store Type tab showing Active Directory Data Store in the Name field, and Directory (LDAP) selected from the Type list.
  5. On the LDAP Configuration tab, in the Hostname(s) field, enter a name.

  6. From the LDAP Type list, select Active Directory.

  7. In the User DN and Password fields, enter the desired user distinguished name (DN) and password.

  8. Select the Use LDAPS checkbox.

    Ping recommends that all LDAP connections be secured using LDAPS.

    To enable the password changes, password reset, or account unlock features in the HTML form adapter against Microsoft AD, you must secure the connection to your directory server using LDAPS. AD requires this level of security to allow password changes.

  9. Complete any other fields that can help configure the datastore connection according to your current architect posture.

  10. To test the connection, click Test Connection.

    Screen capture of the LDAP Configuration tab and corresponding fields.
  11. Click Next.

  12. On the Summary tab, review your entries, and then click Save.

Configuring the password credential validator

Configure a password credential validator (PCV) in PingFederate.

Before you begin

  • Install and run PingFederate.

  • Install Active Directory (AD).

  • Configure the data store.

  • Ensure the AD service account has permissions in all domains in that forest to read and access user data in all domains to which the agent connects.

Steps

  1. In the PingFederate administrative console, go to System → Data & Credential Stores → Password Credential Validators.

  2. Click Create New Instance.

  3. On the Type tab, in the Instance Name and Instance ID fields, enter a name and ID.

  4. From the Type list, select LDAP Username Password Credential Validator. Screen capture of the Type tab showing the completed Instance Name and Instance ID fields. LDAP Username Password Credential Validator is selected from the Type list.

  5. Click Next.

  6. On the Instance Configuration tab, from the LDAP Datastore Field Value list, select Active Directory Data Store.

  7. In the Search Base Field Value field, enter the location in the directory from which the LDAP search begins.

  8. In the Search Filter Field Value field, enter an LDAP filter.

    You can use ${username} as part of the query. For example, for AD, sAMAccountName=${username}.

  9. In the Scope of Search section, choose from:

    Choose from:

    • One Level

    • Subtree

    Choose One Level to search just the base distinguished name (DN), or choose Subtree to search organizational units nested under the base DN.Screen capture of the Instance Configuration tab.

  10. Click Next.

  11. On the Extended Contract tab, confirm the default values and add additional attributes as needed.

    On this tab, you can also extend the attribute contract of the PCV instance.

Screen capture of the Extended Contract tab showing the default values.

  1. Click Next.

  2. On the Summary tab, confirm your entries, and then click Save.

Configuring the IdP adapter

Configure an identity provider (IdP) in PingFederate.

Before you begin

About this task

The following steps are the minimum to set up an HTML adapter to validate against AD.

Steps

  1. In the PingFederate administrative console, go to Authentication → Integration → IdP Adapters.

  2. Click Create New Instance.

  3. On the Type tab, in the Instance Name and Instance ID fields, enter a name and ID.

  4. From the Type list, select HTML Form IdP Adapter. Screen capture of the Type tab showing the completed Instance Name and Instance ID fields and HTML Form IdP Adapter selected from the Type list.

  5. Click Next.

  6. On the Idp Adapter tab, in the Password Credential Validator Instance section, click Add a new row to 'Credential Validators'.

  7. From the Password Credential Validator Instance list, select the appropriate PCV, and then click Update. Screen capture of the IdP Adapter tab showing the corresponding fields.

  8. Review and modify any other fields as needed, and then click Next.

    Many fields have default values. Make adjustments as needed.

  9. On the Extended Contract tab, confirm the default values and add additional attributes as needed.

  10. Click Next.

  11. On the Adapter Attributes tab, select the attributes to receive a pseudonym to uniquely identify a user and any attributes that must be masked in the log files. Screen capture of the Adapter Attributes tab showing the checkboxes to select to give attributes pseudonyms or mask log values.

  12. Click Next.

  13. On the Adapter Contract Mapping tab, click Configure Adapter Contract.

  14. On the Attribute Sources & User Lookup tab, fulfill the adapter contract with the adapter’s default values, or use these values plus additional attributes retrieved from local data stores.

  15. Click Next.

  16. On the Adapter Contract Fulfillment tab, fulfill your adapter contract with values from the authentication adapter or with dynamic text values.

    By default, Adapter is selected from the Source lists.

  17. Click Next.

  18. On the Issuance Criteria tab, optionally create criteria for PingFederate to evaluate to determine whether users are authorized to access SP resources. Click Next.

  19. On the Summary tab, confirm your entries, and then click Done. Screen capture of the Summary tab showing the selected entries.

  20. On the Adapter Contract Mapping tab, click Next.

  21. On the Summary tab, review the IdP adapter instance settings, and then click Save.

Result

After completing these steps, the HTML form adapter is ready to use in either an Authentication Policy or an SP connection.

Next steps

Enter AD credentials (username and password) to test the configured adapter.