Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
PingOne Pass Through Authentication Handlers provide a mechanism for processing an authentication attempt for a local user against the PingOne service.
The PingOne Pass Through Authentication Handler component inherits from the Pass Through Authentication Handler
The following components have a direct aggregation relation from PingOne Pass Through Authentication Handlers:
The properties supported by this managed object are as follows:
| Description | A description for this Pass Through Authentication Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The base DNs for the local users whose authentication attempts may be passed through to the external authentication service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the external authentication service. If no base DNs are specified, then only the associated pass-through authentication plugin's set of included local entry base DNs will be used. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to connection criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the external authentication service. If no connection criteria object is specified, then bind requests from any client may be passed through. |
| Default Value | None |
| Allowed Values | The DN of any Connection Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to request criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the external authentication service. If no request criteria object is specified, then all bind requests may be passed through. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the API endpoint for the PingOne web service. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the API endpoint for the PingOne authentication service. The Auth URL can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. The necessary URL will be in the Configuration section as the Token Endpoint. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the OAuth Client ID used to authenticate connections to the PingOne API. The Client ID can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the OAuth Client Secret used to authenticate connections to the PingOne API. The Client Secret can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with the Directory Server. Exactly one of the oauth-client-secret and oauth-client-secret-passphrase-provider properties must be specified. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
oauth-client-secret-passphrase-provider
| Description | Specifies a passphrase provider that can be used to obtain the OAuth Client Secret used to authenticate connections to the PingOne API. The Client Secret can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with the Directory Server. Exactly one of the oauth-client-secret and oauth-client-secret-passphrase-provider properties must be specified. |
| Default Value | None |
| Allowed Values | The DN of any Passphrase Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the PingOne Environment that will be associated with this PingOne Pass Through Authentication Handler. The Environment ID can be found under the Settings tab in the PingOne Admin Console. |
| Default Value | None |
| Allowed Values | Environment ID must be in the format of a UUID v4. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to an HTTP proxy server that should be used for requests sent to the PingOne service. |
| Default Value | No HTTP proxy server will be used. |
| Allowed Values | The DN of any HTTP Proxy External Server. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The names of the attributes in the local user entry whose values must match the values of the corresponding fields in the PingOne service. This property must have the same number of values as the user-mapping-remote-json-field property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property. Only an entry that contains values for all of the listed attributes may be mapped to a user in the PingOne service. The search performed in the PingOne service must match exactly one account. If the search does not match any accounts, or if it matches multiple accounts, then the mapping will fail. If multiple local attributes and PingOne fields are specified, then the search that the plugin performs in the PingOne service will be an AND across the corresponding PingOne fields. If any of the listed attributes has multiple values then the search in the PingOne service will contain an OR of each of those values in the corresponding PingOne field. |
| Default Value | None |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
user-mapping-remote-json-field
| Description | The names of the fields in the PingOne service whose values must match the values of the corresponding attributes in the local user entry, as specified in the user-mapping-local-attribute property. This property must have the same number of values as the user-mapping-local-attribute property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
additional-user-mapping-scim-filter
| Description | An optional SCIM filter that will be ANDed with the filter created to identify the account in the PingOne service that corresponds to the local entry. Only the "eq", "sw", "and", and "or" filter types may be used. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Pass Through Authentication Handlers:
dsconfig list-pass-through-authentication-handlers
[--property {propertyName}] ...
To view the configuration for an existing Pass Through Authentication Handler:
dsconfig get-pass-through-authentication-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Pass Through Authentication Handler:
dsconfig set-pass-through-authentication-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new PingOne Pass Through Authentication Handler:
dsconfig create-pass-through-authentication-handler
--handler-name {name}
--type ping-one
--set api-url:{propertyValue}
--set auth-url:{propertyValue}
--set oauth-client-id:{propertyValue}
--set environment-id:{propertyValue}
--set user-mapping-local-attribute:{propertyValue}
--set user-mapping-remote-json-field:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Pass Through Authentication Handler:
dsconfig delete-pass-through-authentication-handler
--handler-name {name}