Configure PingFederate for CBA
  • 20 Dec 2023
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Configure PingFederate for CBA

  • Dark
    Light
  • PDF

Article summary

Enable your users to sign into PingFederate with certificates issued from your Axiad Cloud tenant.

Configure PingFederate for CBA

  1. Ensure you added your Axiad Cloud tenant’s certificates as trusted PingFederate CAs.

  2. Ensure you've enabled PingFederate to check your Axiad Cloud certificate revocation list (CRL).

  3. Log into the server running PingFederate.

  4. Stop the PingFederate service.

  5. List the directory contents of {PingFederate Install Directory}/pingfederate/server/default/deploy.

  6. Check which version is listed for the x509 Certificate Adapter. (For example, x509-certificate-adapter-1.3.1.jar).

  7. Open the Ping Identity support documentation for the x509 Integration Kit.

  8. If your server does not have a JAR file, download the x509 Integration Kit and add the JAR file to the {PingFederate Install Directory}/pingfederate/server/default/deploy folder.

  9. If your server has an older JAR file version than the one listed on the Ping Identity support documentation:

    1. Download the new x509 Integration Kit.

    2. Delete the old JAR file on the server

    3. Add the new JAR file to the same folder.

  10. Edit the {PingFederate Install Directory}/pingfederate/server/default/data/config-store/session-cookie-config.xml configuration file.

  11. Add the domain FQDN for the PingFederate Server with a preceding period to the item <c:item name="cookie-domain">{.domain_name_with_preceding_period}</c:item>.
    The FQDN will be used again as the Client Auth Hostname in a later step.

  12. You must enable the Secondary HTTPS Port in the PingFederate configuration if it has not previously been configured.
    For more details, see PingFederate’s official documentation for the Secondary HTTPS Port.

  13. Follow one of the two steps below to enable a Secondary HTTPS Port:

    1. During PingFederate installation, set the Secondary HTTPS Port on the Engine Settings screen.

    2. Alternatively, you can modify the run.properties file:

      1. Stop the PingFederate service

      2. Edit the run.properties file in the directory {PingFederate Install Directory}/pingfederate/bin.

      3. Change the pf.secondary.https.port from “-1” to a valid port number.
        This port number needs to be reachable by end users. If it is already set a value other than “-1” it is already enabled, and no updates are necessary.

      4. Note the port number, as it is needed in a later step.

  14. Start the PingFederate service.

  15. Open the PingFederate administrative console.

    NOTE

    We recommend you verify the following steps using the official PingFederate documentation.

  16. Navigate to Authentication > Integration > IdP Adapters.

  17. Click Create New Instance.

  18. Enter an Instance Name such as Axiad Cloud.
    This field is what displays to end users.

  19. Enter an Instance ID such as AxiadCloudx509.
    This field does not allow spaces.

  20. For Type, select X.509 Certificate IdP Adapter 1.3.1.

  21. Click Next.

  22. Optionally, you can restrict the certificates allowed for end users to authenticate with this adapter:

    1. Click Add a new row to Constrain Acceptable Root Issuers.

    2. Enter the DN of the trusted CA.

    3. Ensure that the CA is also trusted by PingFederate.
      By default, any certificate authority that is trusted by PingFederate will be used to validate the end user’s authentication certificates.

  23. Enter the Secondary HTTPS port number as defined in the run.properties file in the Client Auth Port field.

  24. Enter Client Auth Hostname as a FQDN of the PingFederate server.

  25. Click Next.

  26. Add any additional attributes that are needed for authenticating a user.
    These attributes can be retrieved from any of the defined Data Stores in PingFederate, such as Active Directory.

  27. Click Next.

  28. For Unique User Key Attribute, select email from the drop-down list.

  29. Check Pseudonym next to email.

  30. Click Next.

  31. Optionally, retrieve any additional attributes from the Extended Contract section in your PingFederate Data Source (such as Active Directory).

    1. Click Configure Adapter Contract.

    2. Click Add Attribute Source.

    3. Enter the Attribute Source ID and the Attribute Source Description.

    4. Select the appropriate Active Data Store where the data is coming from.

    5. Click Next.

    6. For the Base DN enter the appropriate DN to scope searching for objects.
      The Base DN is optional if the entire directory should be search for the object, or a DN of a specific container to restrict the search scope.

    7. Select the appropriate Search Scope.

    8. In the Attributes to return from search section, add all the required attributes to retrieve from the data source.

      NOTES

      • The drop down box in the first column is a filter to only show attributes based on a specific object class. To see all attributes select Show All Attributes in from this drop down. If you select User in this drop down, some attributes might not show up (e.g., Enabled and memberOf is not available). Use the show all attributes option to add these attributes.

      • Click View Attribute Contract at the bottom of this page to show the attributes you previously added. This will ensure attributes from the data source are available.

      • The sort order of the attributes show capital letters first. If you can not find a specific attribute, scroll through the entire list.

    9. In the Filter field, add an LDAP filter that will uniquely identify the user from an attribute that is available from the user’s certificate.

      1. A common filter: userPrincipalName=${email}

    10. Click Next

    11. Click Done, not Save.

  32. Click Next.

  33. Confirm the data mappings on the Adapter Contract Fulfillment tab. Any attribute that is coming from the certificate should be set to Adapter. Any attribute that is coming from Active Directory should be set to the appropriate LDAP item and you will need to select the attribute name in the value column. If no additional attributes were added their should be no changes needed.

  34. Click Next.

  35. Optionally define any criteria for a successful issuance on the Issuance Criteria tab. For example, check if the user is a member of a specific group or ensure the user account is enabled.

  36. Click Next.

  37. Confirm the settings are correct and click Done.

  38. Click Next.

  39. Confirm the settings are correct and click Save.

  40. Restart the PingFederate service.

Now that the X.509 IdP Adapter has been created, it can be used with any application defined in PingFederate as an authentication source. PingFederate allows you to add multiple authentication sources resulting in the end user being prompted to select which method they want to use to authenticate.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.