Bundled adapters and authenticators
PingFederate comes bundled with the following adapters and authenticators to enable common deployment scenarios.
Bundled adapters
- Composite Adapter
-
Allows multiple configured identity provider (IdP) adapters to execute in sequence. Depending on the authentication context, use this capability, called adapter chaining, for either single-adapter usage or to support multi-factor authentication through a series of adapters. Learn more in Composite Adapter.
- HTML Form Adapter
-
Used in conjunction with Password Credential Validators. These adapters provide integration with user-datastores in directory servers or locally. Learn more in HTML Form Adapter.
- HTTP Basic Adapter
-
Used in conjunction with Password Credential Validators. These adapters provide integration with user-data stores in directory servers or locally. Learn more in HTTP Basic Adapter.
- Identifier First Adapter
-
When a variety of user types authenticate at PingFederate, it is often better to ask the user for their identifier first, determine their user population, and prompt the user with the desired authentication requirements and experience. The Identifier First Adapter is designed to handle this use case. Learn more in Identifier First Adapter.
- Kerberos Adapter
-
Provides a seamless desktop SSO experience for Windows environments and supports authentication mechanism assurance from the Active Directory domain service. For new configurations and as a simpler alternative to the separately-available IWA Integration Kit, use this adapter. Learn more in Kerberos Adapter.
- OpenToken Adapter
-
Provides a generic interface for integrating with various applications, including Java- and .NET-based applications. Learn more in OpenToken Adapter.
- Passthrough IdP Adapter
-
The Passthrough IdP Adapter allows a user key to be associated with a user’s authentication sessions. By placing the Passthrough IdP Adapter downstream from an IdP connection in a policy tree, you can take advantage of additional capabilities associated with defining a user key. Learn more in Configuring a Passthrough IdP Adapter.
- PingID Adapter
-
PingID is a cloud-based authentication service that binds user identities to their devices, making it an effective multi-factor authentication solution. Learn more in the PingID documentation.
- PingOne DaVinci Adapter
-
Allows PingFederate to use PingOne as an IdP as part of your PingFederate authentication policy. You can find detailed information in the PingOne DaVinci Integration Kit.
- PingOne MFA Adapter
-
Allows PingFederate to use the PingOne MFA service for multi-factor authentication (MFA). You can find detailed information in the PingOne MFA Integration Kit.
- PingOne Protect Adapter
-
When a user signs on through PingFederate, the adapter sends the transaction information to the PingOne Protect service and retrieves a risk evaluation and other information about the user’s current and previous transactions. You can find detailed information in the PingOne Protect Integration Kit.
- PingOne Verify Adapter
-
Allows PingFederate to use the PingOne Verify service to trigger an identity verification challenge as part of the PingFederate authentication policy or registration flow. For example, you can use this adapter for personal identity verification based on a government issued photo ID. You can find detailed information in the PingOne Verify Integration Kit.
Bundled authentication selectors
PingFederate provides plugin authentication selectors, which enable dynamic selection of authentication sources based on administrator-specified criteria. Along with the Composite Adapter and token authorization, the selectors enable dynamic integration with an organization’s authentication or authorization policies, also known as adaptive federation.
To select subsequent selectors or authentication sources for handling complex hierarchical access-policy decisions, use the results of authentication-selection criteria evaluation. Learn more in Authentication policies. |
- CIDR Authentication Selector
-
Provides a means of choosing authentication sources or other authentication sources at runtime based on whether an end-user’s IP address falls within specified ranges using Classless Inter-Domain Routing notation. This selector allows administrators to determine, for example, whether an SSO request originates inside or outside the corporate firewall and use different authentication integration accordingly. Learn more in Configuring the CIDR Authentication Selector.
- Cluster Node Authentication Selector
-
Provides a means of picking authentication sources or other authentication sources at runtime based on the PingFederate cluster node that is servicing the request. For example, you can configure this selector to choose whether PingFederate attempts Integrated Windows Authentication based on the PingFederate cluster node with which a Key Distribution Center is associated. Learn more in Configuring the Cluster Node Authentication Selector.
- Connection Set Authentication Selector
-
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the target SP connection used in an SSO request and SP connections configured within PingFederate. For example, administrators with different requirements for SP connections can override connection adapter selection on an individual connection basis. Learn more in Configuring the Connection Set Authentication Selector.
- Extended Property Authentication Selector
-
Enables PingFederate to choose configured authentication sources or other selectors based on a match found between a selector result value and an extended property value from the invoking browser-based SSO connections or OAuth client. Learn more in Configuring the Extended Property Authentication Selector.
- HTTP Header Authentication Selector
-
Provides a means of choosing authentication sources or other authentication sources at runtime based on a match found using wildcard expressions in an HTTP header. This selector allows administrators to determine, for example, authentication behavior based on the type of browser. Learn more in Configuring the HTTP Header Authentication Selector.
- HTTP Request Parameter Authentication Selector
-
Provides a means of selecting authentication sources or other authentication sources at runtime based on query parameter values in the HTTP request. Learn more in Configuring the HTTP Request Parameter Authentication Selector.
- OAuth Client Set Authentication Selector
-
Enables PingFederate to choose configured authentication sources or other selectors based on a match found between the client information in an OAuth request and the OAuth clients configured in the PingFederate OAuth authorization server (AS). This selector allows you to override client authentication selection on an individual client basis in one or more authentication policies. Learn more in Configuring the OAuth Client Set Authentication Selector.
- OAuth Scope Authentication Selector
-
Provides a means of selecting authentication sources or other authentication sources at runtime based on a match found between the scopes of an OAuth authorization request and scopes configured in the PingFederate OAuth authorization server (AS). For example, if a client requires write access to a resource, administrators can configure the selector to choose an adapter that offers a stronger form of authentication, such as the X.509 client certificate, rather than the username and password. Learn more in Configuring the OAuth Scope Authentication Selector.
- Requested AuthN Context Authentication Selector
-
Provides a means of picking authentication sources or other authentication sources at runtime based on the authentication context requested by an SP, for SP-initiated SSO. Configured authentication sources are mapped either to SAML-specified contexts or any ad-hoc context agreed upon between the IdP and SP partners. Learn more in Configuring the Requested AuthN Context Authentication Selector.
- Session Authentication Selector
-
Enables PingFederate to choose a policy path at runtime based on whether the user already has a PingFederate authentication session for a particular source. Learn more in Configuring the Session Authentication Selector.
Authentication selectors rely on HTTP requests, HTTP headers, POST data, or a combination of these authentication sources. Ensure that standard security measures are in place when using these selectors.
Software development kit (SDK)
The PingFederate SDK provides a flexible means of creating custom adapters to integrate federated identity management into your system environment. Learn more in the PingFederate SDK Developer’s Guide.