Directory Server Documentation Index
Configuration Reference Home

Ping One For Customers Pass Through Authentication Plugin

The Ping One For Customers Pass Through Authentication Plugin provides the ability for a local user to authenticate with a password from an account in the PingOne for Customers service. Depending on the configuration, the authentication may be attempted only in the PingOne for Customers service, or it may be attempted locally first and only forwarded to the PingOne for Customers service if the local attempt fails. Only simple bind operations are supported.

Parent Component
Relations from This Component
Properties
dsconfig Usage

Parent Component

The Ping One For Customers Pass Through Authentication Plugin component inherits from the Plugin

Relations from This Component

The following components have a direct aggregation relation from Ping One For Customers Pass Through Authentication Plugins:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
↓ description ↓ invoke-for-internal-operations
↓ enabled
↓ api-url
↓ auth-url
↓ oauth-client-id
↓ oauth-client-secret
↓ environment-id
↓ included-local-entry-base-dn
↓ connection-criteria
↓ request-criteria
↓ try-local-bind
↓ override-local-password
↓ update-local-password
↓ update-local-password-dn
↓ allow-lax-pass-through-authentication-passwords
↓ ignored-password-policy-state-error-condition
↓ user-mapping-local-attribute
↓ user-mapping-remote-json-field
↓ additional-user-mapping-scim-filter

Basic Properties

description

Description
A description for this Plugin
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the plug-in is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

api-url

Description
Specifies the API endpoint for the PingOne for Customers web service.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

auth-url

Description
Specifies the API endpoint for the PingOne for Customers authentication service. The Auth URL can be found under the Connections tab in the PingOne for Customers Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. The necessary URL will be in the Configuration section as the Token Endpoint.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

oauth-client-id

Description
Specifies the OAuth Client ID used to authenticate connections to the PingOne for Customers API. The Client ID can be found under the Connections tab in the PingOne for Customers Admin Console. Specifically, it is within the Application configured for use with Data Sync Server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

oauth-client-secret

Description
Specifies the OAuth Client Secret used to authenticate connections to the PingOne for Customers API. The Client Secret can be found under the Connections tab in the PingOne for Customers Admin Console. Specifically, it is within the Application configured for use with Data Sync Server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

environment-id

Description
Specifies the PingOne for Customers Environment that will be associated with this Ping One For Customers Pass Through Authentication Plugin. The Environment ID can be found under the Settings tab in the PingOne for Customers Admin Console.
Default Value
None
Allowed Values
Environment ID must be in the format of a UUID v4.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

included-local-entry-base-dn

Description
The base DNs for the local users whose authentication attempts may be passed through to the PingOne for Customers service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the PingOne for Customers service.
If no base DNs are specified, then all public naming contexts will be used as the default set of base DNs.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

connection-criteria

Description
A reference to connection criteria that will be used to indicate which bind requests should be passed through to the PingOne for Customers service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the PingOne for Customers service. If no connection criteria object is specified, then bind requests from any client may be passed through.
Default Value
None
Allowed Values
The DN of any Connection Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

request-criteria

Description
A reference to request criteria that will be used to indicate which bind requests should be passed through to the PingOne for Customers service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the PingOne for Customers service. If no request criteria object is specified, then all bind requests may be passed through.
Default Value
None
Allowed Values
The DN of any Request Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

try-local-bind

Description
Indicates whether to attempt the bind in the local server first, or to only send it to the PingOne for Customers service. If this property has a value of true, then the bind operation will first be processed locally, and will only forward the authentication attempt to the PingOne for Customers service if the local bind fails. If this property has a value of false, then the authentication will only be attempted in the PingOne for Customers service.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

override-local-password

Description
Indicates whether to attempt the authentication in the PingOne for Customers service if the local user entry includes a password. This property will only be used if try-local-bind is true. If this property has a value of false, then authentication attempts will only be forwarded to the PingOne for Customers service for users who don't have a local password, and bind attempts for users with a local password will only be attempted locally. If this property has a value of true, then authentication attempts will be forwarded to the PingOne for Customers service if the local attempt fails, even if the local entry has a password.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

update-local-password

Description
Indicates whether to overwrite the user's local password if the local bind fails but the authentication attempt succeeds when attempted in the PingOne for Customers service. This property is only used if the try-local-bind property has a value of true.
If update-local-password is true, the local bind attempt fails, and the PingOne for Customers authentication attempt succeeds, then the local entry will be updated to set the user's password to the provided bind password. The local password will not be altered if the PingOne for Customers authentication attempt fails. The property 'update-local-password-dn' should also be set to a DN, if passwords are bidirectionally synchronized between the PingOne for Customers service and the Ping DirectoryServer.
If update-local-password is false, the local bind attempt fails, and the PingOne for Customers authentication attempt succeeds, then the LDAP bind operation will still be considered a success, but the user's local password will not be altered.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

update-local-password-dn

Description
This is the DN of the user that will be used to overwrite the user's local password if update-local-password is set. The DN put here should be added to 'ignore-changes-by-dn' in the appropriate Sync Source. This value should be used if Sync is configured to synchronize password changes from Ping DirectoryServer to the PingOne for Customers service and Sync is configured to wipe out the password in Ping DirectoryServer if it detects the password has changed on the PingOne for Customers service. In this case, when changing the password on the PingOne for Customers service, the password will be wiped in Ping DirectoryServer, so on the next authentication attempt to PingDirectory Server, the bind will be passed to PingOne for Customers, and if the PingOne for Customers Pass Through Authentication plugin updates the password in Ping DirectoryServer, the change may be synchronized to the PingOne for Customers service, which can cause the password to be wiped out again in Ping DirectoryServer.
With this property, the password wouldn't need to be wiped. The PingOne for Customers Pass Through Authentication plugin would update the password as the dn used in this property, and then if Sync is configured to ignore changes by this DN, the password change wouldn't be synchronized to the PingOne for Customers service after the bind, which would avoid the password being wiped in Ping DirectoryServer.
The account used for this property must have access control permission to update the passwords for any users that may use pass-through authentication (or the bypass-acl privilege), and it must have the password-reset privilege.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-lax-pass-through-authentication-passwords

Description
Indicates whether to overwrite the user's local password even if the password used to authenticate to the PingOne for Customers service would have failed validation if the user attempted to set it directly. This property is only used if the try-local-bind and update-local-password properties both have values of true.
If this property has a value of true, the local bind attempt fails, and the authentication attempt to PingOne for Customers succeeds, then the local password will be overwritten regardless of whether it would have passed the validation requirements of the user's password policy.
If this property has a value of false, the local bind attempt fails, and the authentication attempt to PingOne for Customers succeeds, then the local password will be overwritten only if it satisfies the requirements for all password validators in the user's password policy. In that case, if the password from PingOne for Customers does not meet local password policy constraints, then the bind attempt will fail.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

ignored-password-policy-state-error-condition

Description
A set of password policy state error conditions that should not be enforced when authentication succeeds when attempted in the PingOne for Customers service. This option can only be used if try-local-bind is true.
Default Value
None
Allowed Values
temporarily-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is currently temporarily locked after too many failed authentication attempts. If this value is absent, then a user whose account is temporarily locked will not be permitted to authenticate until the lockout period expires, until the user's local password is reset by an administrator, or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

permanently-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is currently permanently locked after too many failed authentication attempts. If this value is absent, then a user whose account is permanently locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

locked-due-to-idle-interval - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is locked because it has been unused for too long. If this value is absent, then a user whose account is idle-locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

locked-due-to-maximum-reset-age - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their account is locked because their password was reset by an administrator but they failed to choose a new password in a timely manner. If this value is absent, then a user whose account is reset-locked will not be permitted to authenticate until their local password is again reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

password-is-expired - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne for Customers service even if their local password is expired. If this value is absent, then a user whose password is expired will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually resets the password changed time with the manage-account tool or the password policy state extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

user-mapping-local-attribute

Description
The names of the attributes in the local user entry whose values must match the values of the corresponding fields in the PingOne for Customers service. This property must have the same number of values as the user-mapping-remote-json-field property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property.
Only an entry that contains values for all of the listed attributes may be mapped to a user in the PingOne for Customers service. The search performed in the PingOne for Customers service must match exactly one account. If the search does not match any accounts, or if it matches multiple accounts, then the mapping will fail.
If multiple local attributes and PingOne fields are specified, then the search that the plugin performs in the PingOne for Customers service will be an AND across the corresponding PingOne fields.
If any of the listed attributes has multiple values then the search in the PingOne for Customers service will contain an OR of each of those values in the corresponding PingOne field.
Default Value
None
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

user-mapping-remote-json-field

Description
The names of the fields in the PingOne for Customers service whose values must match the values of the corresponding attributes in the local user entry, as specified in the user-mapping-local-attribute property. This property must have the same number of values as the user-mapping-local-attribute property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

additional-user-mapping-scim-filter

Description
An optional SCIM filter that will be ANDed with the filter created to identify the account in the PingOne for Customers service that corresponds to the local entry. Only the "eq", "sw", "and", and "or" filter types may be used.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

invoke-for-internal-operations (Advanced Property)

Description
Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Plugins:

dsconfig list-plugins
     [--property {propertyName}] ...

To view the configuration for an existing Plugin:

dsconfig get-plugin-prop
     --plugin-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Plugin:

dsconfig set-plugin-prop
     --plugin-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Ping One For Customers Pass Through Authentication Plugin:

dsconfig create-plugin
     --plugin-name {name}
     --type ping-one-for-customers-pass-through-authentication
     --set enabled:{propertyValue}
     --set api-url:{propertyValue}
     --set auth-url:{propertyValue}
     --set oauth-client-id:{propertyValue}
     --set oauth-client-secret:{propertyValue}
     --set environment-id:{propertyValue}
     --set user-mapping-local-attribute:{propertyValue}
     --set user-mapping-remote-json-field:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Plugin:

dsconfig delete-plugin
     --plugin-name {name}