Configuring an adapter instance
To get started with the integration, deploy the PingOne Protect Integration Kit files to your PingFederate directory.
Steps
-
In the PingFederate administrative console, go to Authentication > Integration > IdP Adapters. Click Create New Instance.
-
On the Type tab, set the basic adapter instance attributes:
-
In the Instance Name field, enter a name for the adapter instance.
-
In the Instance ID field, enter a unique identifier for the adapter instance.
-
In the Type list, select PingOne Protect IdP Adapter. Click Next.
-
-
Optional: On the IdP Adapter tab, in the Additional User Attributes (optional) section, you can configure additional attributes to send to PingOne Protect.
-
Optional: On the IdP Adapter tab, in the Additional Risk Predictors (optional) section, you can configure custom risk predictors to send to PingOne Protect, beyond the predictor types provided out-of-the-box.
-
Click Add a new row to 'Additional Risk Predictors (optional)'.
-
In the Incoming Attribute Name field, enter the name of an attribute from any authentication source that appears earlier in your PingFederate authentication policy than the PingOne Protect IdP Adapter.
-
In the PingOne Protect Attribute list, select the PingOne attribute that you want to populate.
-
In the Action column, click Update.
-
To add more attributes, repeat steps a - d.
-
-
Optional: On the IdP Adapter tab, in the PingOne Protect API Response Mappings section, map the attributes from PingOne Protect Evaluation API response to the attribute contract.
These attributes will become available in your PingFederate authentication policy.
-
Click Add a new row to 'PingOne Protect API Response Mappings'.
-
In the Local Attribute field, enter a name of your choosing for an attribute.
-
In the PingOne Protect API Attribute Mapping field, enter the JSON Pointer syntax for the source PingOne attribute.
Example:
For example, the JSON pointer
/details/ipAddressReputation/levelwill return the IP address repuation level, such asLOW. -
In the Action column, click Update.
-
To add more attributes, repeat steps a - d.
If you skip performing a fraud evaluation in the adapter, the response mappings might not be returned.
-
-
On the IdP Adapter tab, configure the adapter instance using the settings listed in IdP Adapter settings reference. Click Next.
-
On the Actions tab, test your connection to PingOne Protect. Resolve any issues that are reported, and then click Next.
-
On the Extended Contract tab, add any attributes that you included in the PingOne Protect API Response Mappings section of the IdP Adapter tab. Click Next.
-
On the Adapter Attributes tab, set pseudonym and masking options as shown in Set pseudonym and masking options in the PingFederate documentation. Click Next.
-
On the Adapter Contract Mapping tab, configure the contract fulfillment details for the adapter as shown in Define the IdP adapter contract in the PingFederate documentation. Click Next.
-
On the Summary tab, check and save your configuration. Click Save.
Direct changes to Javascript files
In addition to the configuration in the PingFederate administrative console, you must make the following change directly to the relevant Javascript file if you want the device data in the SDK payload to be provided as a signed JWT.
-
Open the file
<installation directory>\server\default\conf\template\assets\scripts\pingone-protect-device-profiling.js. -
Add this line:
universalDeviceIdentification: true
|
The option of using a signed JWT was introduced in version 1.0.4 of the integration kit. |
IdP Adapter settings reference
Field descriptions for the PingOne Protect IdP Adapter configuration screen.
| Field | Value | Description |
|---|---|---|
PingOne Environment |
<PingOne Connection> |
Your PingOne Environment. Create connections in System > External Systems > PingOne Connections. This field is blank by default. |
PingOne Risk Policy |
<PingOne Risk Policy Name> |
The risk policy used by PingOne for the risk evaluation. Overrides the environment and global default policy selections. This list is populated when you select a PingOne Environment. |
| Field | Value | Description |
|---|---|---|
Include Dynamic Device Profile |
|
When enabled, PingFederate will include a device profile in the risk evaluation. |
Device Profiling Timeout |
|
The amount of time in milliseconds that PingFederate waits for the device profiling script to collect device details. Applies only if Device Profiling Method is set to Captured by this adapter. |
Device Profile Cookie Name |
|
The name of the cookie that indicates whether the device profile has been captured. |
Failure Mode |
|
When PingOne Protect is unavailable or an error occurs, this setting determines whether the user’s sign-on attempt should fail or continue with a pre-determined policy decision. |
Fallback Policy Decision Value |
|
The fallback fraud evaluation level to use in the authentication policy when the PingOne Protect service is unavailable or an error occurs, and Failure Mode is set to Continue with fallback policy decision. |
API Request Timeout |
|
The amount of time in milliseconds that PingFederate allows when establishing a connection with PingOne Protect or waiting for a response to a request. A value of |
Proxy Settings |
|
Defines proxy settings for outbound HTTP requests. |
Custom Proxy Host |
<Proxy server host> |
The proxy server host name to use when Proxy Settings is set to Custom. This field is blank by default. |
Custom Proxy Port |
<Proxy server port> |
The proxy server port to use when Proxy Settings is set to Custom. This field is blank by default. |
Custom Connection Pool |
|
The number of connections to PingOne Protect. Can be between |