Create the Password Grant Flow Configuration

For PingFederate to authenticate with vCenter Server, you set up the password grant flow.

Prerequisites

Complete the following tasks:

Procedure

Create the Password Credential Validator.
1. Go to System > Data & Credential Stores > Password Credential Validators.
2. Click Create New Instance.
3. In the Password Credential Validators | Create New Instance page, enter the information as follows for each tab, then click Next to advance.
  - On the Type tab:
    - Instance Name: Enter the instance name. For example, vIDB Validator.
    - Instance ID: Enter the instance ID. For example, vIDB.
    - Type: Select LDAP Username Password Credential Validator.
  - On the Instance Configuration tab:
    - LDAP Datastore: Select the data store you are using.
    - Search Base: Enter your base DN to find your users and groups.
    - Search Filter: Enter a filter. For example, userPrincipalName=${username}.
    - Scope of Search: Select Subtree.
  - On the Extended Contract tab:
    - By default, the following are added:
      
      DN
      
      email
      
      givenName
      
      username
4. Click Next then click Save.
Map the Validator in the Authorization Server Settings.
1. Go to System > OAuth Settings > Authorization Server Settings.
2. In Password Credentials Validator, select the one you previously created. For example, this documentation uses vIDB Validator.
3. Click Save.
Create the Resource Owner Credentials Grant Mapping.
1. Go to Authentication > OAuth > Resource Owner Credentials Mapping.
2. In the Resource Owner Credentials Grant Mapping window:
  - Source Password Validator Instance: Select the one you previously created and click Add Mapping.
3. In the Resource Owner Credentials Grant Mapping | Resource Owner Credentials Mapping page, click Next to skip the Attribute Sources & User Lookup tab.
4. On the Contract Fulfillment tab:
  - For USER_KEY, select Password Credentials Validator, and for Value, select username.
5. Click Next to skip the Insurance Criteria tab then click Save.

Create the Access Token Mapping - Map the Password Credentials Validator to the Access Token Manager.

This mapping is needed for the Password Grant workflow. If the mapping does not exist, PingFederate logs the following error:

There are no access token managers available for the selected client and authentication context.

Go to Applications > Access Token Mappings.
- Context: Select the one you previously created. For example, this documentation uses vIDB Validator.
- Access Token Manager: Select the one previously created. For example, this documentation uses vIDB Access Token Manager.
Click Add Mapping.
Click Next to skip the Attribute Sources & User Lookup tab.

On the Contract Fulfilment tab, use the following table.

Contract	Source	Value
aud	Context	The client ID previously created. For example, the ID used in this documentation is vIDB.
exp	No Mapping	-
iat	Expression	Enter the following: `@org.jose4j.jwt.NumericDate@now().getValue()`
iss	Expression (If not visible, see the PingFederate documentation at https://docs.pingidentity.com/r/en-us/pingfederate-120/pf_enable_disable_express.)	Enter the following: #tmp=#this.get("context.HttpRequest").getObjectValue().getRequestURL().toString(), #url=new java.net.URL(#tmp), #protocol=#url.getProtocol(), #host=#url.getHost(),#port=#url.getPort(), #result=(#port != -1) ? @java.lang.String@format("%s://%s:%d", #protocol, #host, #port) : @java.lang.String@format("%s://%s", #protocol, #host, #port)
userName	No Mapping	- This contract is used later in the LDAP Filter for the OIDC Policy for Authorization Code workflow. For the PingFederate workflow, it is not needed.

Click Next to skip the Insurance Criteria tab then click Save.

What to do next

Continue with Create the Authorization Code Flow Configuration.