Please enable JavaScript.

Coggle requires JavaScript to display documents.

Ping Federate - Coggle Diagram

- - - - As a service provider (SP) site, you can manage connection settings to support the exchange of federation-protocol messages, such as OpenID Connect, SAML (User attributes that you expect to receive in an SSO token such as a SAML assertion)
    - - Authentication Applications present user interfaces to collect credentials when authentication is completed via the Authentication API.
    - - As an identity provider (IdP), you can optionally prompt end users to confirm their single logout (SLO) requests and provide a default URL indicating a successful SLO to the end-user, if no other page is designated
    - - (IdP) adapter looks up session information and provides user identification to PingFederate. You must configure at least one instance of an IdP adapter in order to set up connections to service provider (SP) partners
        
        Composite Adapter
        
        HTML Form IdP Adapter
        
        HTTP Basic IdP Adapter
        
        Identifier First Adapter
        
        Kerberos Adapter
        
        OpenToken IdP Adapter
        
        PingID Adapter
        
        Reference ID IdP Adapter
        
        X.509 Certificate IdP Adapter
  - - - An authentication policy is a tree of authentication sources, selector instances, or a combination of them, that defines the decision to route a request through a series of approved authentication sources with an optional authentication policy contract or a local identity profile at the end or to deny the request.
    - - Authentication selectors provide a plugin capability for PingFederate to evaluate various conditions related to the requests. PingFederate comes bundled with a set of authentication selectors. As an example, you can create an HTTP Header Authentication Selector to detect mobile browsers, a CIDR Authentication Selector to evaluate whether the users' IP addresses fall within your internal network ranges, or an HTTP Request Parameter Authentication Selector to identify identity provider (IdP) connections based on the PartnerIdpId parameter values provided in the service provider (SP)-initiated SSO requests.
    - - Provides the capability to build an attribute contract with attribute values from multiple datastore queries through an authentication policy. The flexibility to map only the policy contract to a connection. Administrators do not have to map into the connection the authentication sources in the policy leading up to the contract. For example, administrators can experiment with various IdP adapter instances without the burden of adding and removing them to and from the connection. The potential to reuse authentication policies that use the same policy contract in multiple service provider (SP) connections, identity provider (IdP) connections, and OAuth use cases, using the OAuth Authorization Code or Implicit grant types.
    - - Authentication sessions control when PingFederate redirects previously authenticated users back to the authentication sources on subsequent requests for browser-based single sign-on (SSO) or PingFederate applications.Authentication sessions typically wrap an adapter so that PingFederate creates the session when user authentication has succeeded. PingFederate invokes the adapter's authentication logic again only when the session reaches its limits. However, depending on the implementation, an adapter can be aware of an authentication session that wraps it and override this logic
    - - When associated with an HTML Form Adapter instance, a local identity profile provides users the option to authenticate through third-party identity providers, self-register as part of the sign-on experience, and manage their accounts through a self-service profile management page.
    - - Fragments make policies easier to administer, allowing you to extract common patterns that exist among different policies and to manage them in one place. For example, you can create a reusable policy fragment with policy components that you frequently use and apply that fragment in multiple policies.
  - - - Use the Authentication Policy Contract Grant Mapping window to map values obtained from the authentication policy contract into the persistent grants. Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up.The USER_KEY attribute is the identifier of the persistent grants. The USER_NAME attribute presents the name shown to the resource owner on OAuth user-facing pages. If extended attributes are defined in System → OAuth Settings → Authorization Server Settings, configure a mapping for each attribute. You can optionally set up datastore queries to supplement values returned from the source. This mapping configuration is suitable for the Authorization Code and Implicit grant types.
    - - Use the IdP Adapter Grant Mapping to map authentication source values into persistent grants. Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up.The USER_KEY attribute is the identifier of the persistent grants. The USER_NAME attribute presents the name shown to the resource owner on OAuth user-facing pages. If extended attributes are defined in System → OAuth Settings → Authorization Server Settings, configure a mapping for each attribute. You can optionally set up datastore queries to supplement values returned from the source. This mapping configuration is suitable for the Authorization Code and Implicit grant types.
    - - Use theResource Owner Credentials Grant Mapping to map values obtained from the password credential validator instance into the persistent grants. Persistent grants and any associated attributes and their values remain valid until the grants expire or until PingFederate explicitly revokes or cleans them up.The USER_KEY attribute is the identifier of the persistent grants. If extended attributes are defined in System → OAuth Settings → Authorization Server Settings, configure a mapping for each attribute. You can optionally set up datastore queries to supplement values returned from the source. This mapping is intended for the Resource Owner Password Credential grant type
    - - Manage the Client Initiated Backchannel Authentication (CIBA) authenticators in PingFederate. About this task
        A CIBA authenticator is responsible for authenticating users through an out-of-band method. You can use the PingFederate SDK to implement a custom solution. For more information, see the Javadoc for the OOBAuthPlugin interface, the SampleEmailAuthPlugin.java file for a sample implementation, and the SDK developer's guide for build and deployment information.
  - - - The PingFederate Security Token Service (STS) uses token processors to validate incoming tokens and token requests.You must configure at least one processor in order to set up an STS connection or a token-to-token mapping.
        For more information about WS-Trust, see Web services standards.
        
        JWT Token Processor
        
        Kerberos Token Processor
        
        OAuth Bear Token Processor
        
        SAML 2.0 Token Processor
        
        Username Token Processor