The Ping One For Customers Pass Through Authentication Plugin provides the ability for a local user to authenticate with a password from an account in the PingOne for Customers service. Depending on the configuration, the authentication may be attempted only in the PingOne for Customers service, or it may be attempted locally first and only forwarded to the PingOne for Customers service if the local attempt fails. Only simple bind operations are supported.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The Ping One For Customers Pass Through Authentication Plugin component inherits from the Plugin
The following components have a direct aggregation relation from Ping One For Customers Pass Through Authentication Plugins:
The properties supported by this managed object are as follows:
Description | A description for this Plugin |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether the plug-in is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the API endpoint for the PingOne for Customers web service. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the API endpoint for the PingOne for Customers authentication service. The Auth URL can be found under the Connections tab in the PingOne for Customers Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. The necessary URL will be in the Configuration section as the Token Endpoint. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the OAuth Client ID used to authenticate connections to the PingOne for Customers API. The Client ID can be found under the Connections tab in the PingOne for Customers Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the OAuth Client Secret used to authenticate connections to the PingOne for Customers API. The Client Secret can be found under the Connections tab in the PingOne for Customers Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the PingOne for Customers Environment that will be associated with this Ping One For Customers Pass Through Authentication Plugin. The Environment ID can be found under the Settings tab in the PingOne for Customers Admin Console. |
Default Value | None |
Allowed Values | Environment ID must be in the format of a UUID v4. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The base DNs for the local users whose authentication attempts may be passed through to the PingOne for Customers service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the PingOne for Customers service. If no base DNs are specified, then all public naming contexts will be used as the default set of base DNs. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | A reference to connection criteria that will be used to indicate which bind requests should be passed through to the PingOne for Customers service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the PingOne for Customers service. If no connection criteria object is specified, then bind requests from any client may be passed through. |
Default Value | None |
Allowed Values | The DN of any Connection Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | A reference to request criteria that will be used to indicate which bind requests should be passed through to the PingOne for Customers service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the PingOne for Customers service. If no request criteria object is specified, then all bind requests may be passed through. |
Default Value | None |
Allowed Values | The DN of any Request Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether to attempt the bind in the local server first, or to only send it to the PingOne for Customers service. If this property has a value of true, then the bind operation will first be processed locally, and will only forward the authentication attempt to the PingOne for Customers service if the local bind fails. If this property has a value of false, then the authentication will only be attempted in the PingOne for Customers service. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether to attempt the authentication in the PingOne for Customers service if the local user entry includes a password. This property will only be used if try-local-bind is true. If this property has a value of false, then authentication attempts will only be forwarded to the PingOne for Customers service for users who don't have a local password, and bind attempts for users with a local password will only be attempted locally. If this property has a value of true, then authentication attempts will be forwarded to the PingOne for Customers service if the local attempt fails, even if the local entry has a password. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether to overwrite the user's local password if the local bind fails but the authentication attempt succeeds when attempted in the PingOne for Customers service. This property is only used if the try-local-bind property has a value of true. If update-local-password is true, the local bind attempt fails, and the PingOne for Customers authentication attempt succeeds, then the local entry will be updated to set the user's password to the provided bind password. The local password will not be altered if the PingOne for Customers authentication attempt fails. The property 'update-local-password-dn' should also be set to a DN, if passwords are bidirectionally synchronized between the PingOne for Customers service and the Ping DirectoryServer. If update-local-password is false, the local bind attempt fails, and the PingOne for Customers authentication attempt succeeds, then the LDAP bind operation will still be considered a success, but the user's local password will not be altered. |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | This is the DN of the user that will be used to overwrite the user's local password if update-local-password is set. The DN put here should be added to 'ignore-changes-by-dn' in the appropriate Sync Source. This value should be used if Sync is configured to synchronize password changes from Ping DirectoryServer to the PingOne for Customers service and Sync is configured to wipe out the password in Ping DirectoryServer if it detects the password has changed on the PingOne for Customers service. In this case, when changing the password on the PingOne for Customers service, the password will be wiped in Ping DirectoryServer, so on the next authentication attempt to PingDirectory Server, the bind will be passed to PingOne for Customers, and if the PingOne for Customers Pass Through Authentication plugin updates the password in Ping DirectoryServer, the change may be synchronized to the PingOne for Customers service, which can cause the password to be wiped out again in Ping DirectoryServer. With this property, the password wouldn't need to be wiped. The PingOne for Customers Pass Through Authentication plugin would update the password as the dn used in this property, and then if Sync is configured to ignore changes by this DN, the password change wouldn't be synchronized to the PingOne for Customers service after the bind, which would avoid the password being wiped in Ping DirectoryServer. The account used for this property must have access control permission to update the passwords for any users that may use pass-through authentication (or the bypass-acl privilege), and it must have the password-reset privilege. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
allow-lax-pass-through-authentication-passwords
Description | Indicates whether to overwrite the user's local password even if the password used to authenticate to the PingOne for Customers service would have failed validation if the user attempted to set it directly. This property is only used if the try-local-bind and update-local-password properties both have values of true. If this property has a value of true, the local bind attempt fails, and the authentication attempt to PingOne for Customers succeeds, then the local password will be overwritten regardless of whether it would have passed the validation requirements of the user's password policy. If this property has a value of false, the local bind attempt fails, and the authentication attempt to PingOne for Customers succeeds, then the local password will be overwritten only if it satisfies the requirements for all password validators in the user's password policy. In that case, if the password from PingOne for Customers does not meet local password policy constraints, then the bind attempt will fail. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
ignored-password-policy-state-error-condition
Description | A set of password policy state error conditions that should not be enforced when authentication succeeds when attempted in the PingOne for Customers service. This option can only be used if try-local-bind is true. |
Default Value | None |
Allowed Values | temporarily-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is currently temporarily locked after too many failed authentication attempts. If this value is absent, then a user whose account is temporarily locked will not be permitted to authenticate until the lockout period expires, until the user's local password is reset by an administrator, or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation. permanently-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is currently permanently locked after too many failed authentication attempts. If this value is absent, then a user whose account is permanently locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation. locked-due-to-idle-interval - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is locked because it has been unused for too long. If this value is absent, then a user whose account is idle-locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation. locked-due-to-maximum-reset-age - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is locked because their password was reset by an administrator but they failed to choose a new password in a timely manner. If this value is absent, then a user whose account is reset-locked will not be permitted to authenticate until their local password is again reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation. password-is-expired - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their local password is expired. If this value is absent, then a user whose password is expired will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually resets the password changed time with the manage-account tool or the password policy state extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The names of the attributes in the local user entry whose values must match the values of the corresponding fields in the PingOne for Customers service. This property must have the same number of values as the user-mapping-remote-json-field property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property. Only an entry that contains values for all of the listed attributes may be mapped to a user in the PingOne for Customers service. The search performed in the PingOne for Customers service must match exactly one account. If the search does not match any accounts, or if it matches multiple accounts, then the mapping will fail. If multiple local attributes and PingOne fields are specified, then the search that the plugin performs in the PingOne for Customers service will be an AND across the corresponding PingOne fields. If any of the listed attributes has multiple values then the search in the PingOne for Customers service will contain an OR of each of those values in the corresponding PingOne field. |
Default Value | None |
Allowed Values | The name or OID of an attribute type defined in the server schema. |
Multi-Valued | Yes |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
user-mapping-remote-json-field
Description | The names of the fields in the PingOne for Customers service whose values must match the values of the corresponding attributes in the local user entry, as specified in the user-mapping-local-attribute property. This property must have the same number of values as the user-mapping-local-attribute property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
additional-user-mapping-scim-filter
Description | An optional SCIM filter that will be ANDed with the filter created to identify the account in the PingOne for Customers service that corresponds to the local entry. Only the "eq", "sw", "and", and "or" filter types may be used. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
invoke-for-internal-operations (Advanced Property)
Description | Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Plugins:
dsconfig list-plugins [--property {propertyName}] ...
To view the configuration for an existing Plugin:
dsconfig get-plugin-prop --plugin-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Plugin:
dsconfig set-plugin-prop --plugin-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Ping One For Customers Pass Through Authentication Plugin:
dsconfig create-plugin --plugin-name {name} --type ping-one-for-customers-pass-through-authentication --set enabled:{propertyValue} --set api-url:{propertyValue} --set auth-url:{propertyValue} --set oauth-client-id:{propertyValue} --set oauth-client-secret:{propertyValue} --set environment-id:{propertyValue} --set user-mapping-local-attribute:{propertyValue} --set user-mapping-remote-json-field:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Plugin:
dsconfig delete-plugin --plugin-name {name}