Creating the authorization code flow in PingFederate involves creating and configuring an IdP adapter.

Prerequisites

Complete the following tasks:

Log in to the PingFederate Admin console with an Administrator Account.

Procedure

  1. Create the IdP Adapter.
    1. Go to Authentication > Integration > IdP Adapters.
    2. Create Create New Instance.
    3. On the Type tab:
      • Instance Name: Enter a name, for example, HTML Form Auth Adapter.
      • Instance ID: Enter an ID, for example, HTMLFormAuthAdapter.
      • Type: Select HTML Form IdP Adapter.
      • Parent Instance: Select None.
    4. Click Next.
    5. On the IdP Adapter tab:
      Under Password Credential Validator Instance, click Add a new row to 'Credential Validators.' then select a validator (in this documentation, vIDB Validator is used), and click Update.
    6. On the IdP Adapter tab:
      • Realm: Select USER_KEY.
    7. Click Next.
    8. Click Next to skip the Extended Contract tab.
    9. On the Adapter Attributes tab:
      • Unique User Key Attribute: Select username and check Pseudonym.
    10. Click Next to skip the Adapter Contract Mapping tab then click Save.
  2. Create IdP Adapter Grant Mapping.
    1. Go to Authentication > OAuth > IdP Adapter Grant Mapping.
    2. Source Adapter Instance: Select the Adapter instance you just created and click Add Mapping.
    3. On the Attribute Sources & User Lookup page, click Add Attribute Source.
    4. Enter the information as follows for each tab, then click Next to advance.
      • On the Data Store tab:
        • Attribute Source ID: Enter an ID with alphanumeric values.
        • Attribute Source Description. Enter a description.
        • Active Data Store: Select the active directory in use.
      • On the LDAP Directory Search tab:
        • Base DN: Enter your base DN to find your users and groups.
        • Search Scope: Use the default, Subtree.
        • Attributes to return from search: Select <Show All Attributes>, then, once loaded, from the attribute list, select userPrincipalName.
    5. Click Add Attribute then click Next.
    6. On the LDAP Filter tab:
      • Filter: Enter the filter. For example, userPrincipalName=${username}.
    7. Click Next then click Save.
    8. In the IdP Adapter Grant Mapping | IdP Adapter Mapping page, finish creating the IdP Grant Mapping.
      On the Contract Fulfillment Lookup tab, use the following table.
      Contract Source Value
      USER_KEY Select the source previously created. Subject DN
      USER_NAME Select the source previously created. userPrincipalName
    9. Click Next then click Save.
      The created IdP Adapter Grant Mapping displays as 'Adapter Name' to Persistent Grant Contract.
  3. Map the IdP Adapter to Access Token Manager.
    1. Go to Applications > OAuth > Access Token Mappings.
      • Context: Select IdP Adapter:Adapter Name.
      • Access Token Manager: Select the access token manager instance previously created. For example, in this documentation, it is vIDB Access Token Manager.
    2. Click Add Mapping.
      If you do not perform this mapping, PingFederate generates the following log file message:

      There are no mapped authentication sources to choose from. Please map an IdP Adapter or IdP connection first.

    3. Skip the Attribute Sources & User Lookup tab, and on the Contract Fulfillment tab, use the following table.
      Contract Source Value
      aud No Mapping -
      exp No Mapping -
      iat No Mapping -
      iss No Mapping -
      userName Adapter username
    4. Click Next to skip the Insurance Criteria tab then click Save.

What to do next

Continue with Install the SCIM Provisioner.