PingOne Pass Through Authentication Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

PingOne Pass Through Authentication Handlers provide a mechanism for processing an authentication attempt for a local user against the PingOne service.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The PingOne Pass Through Authentication Handler component inherits from the Pass Through Authentication Handler

Relations from This Component

The following components have a direct aggregation relation from PingOne Pass Through Authentication Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 included-local-entry-base-dn
 connection-criteria
 request-criteria
 api-url
 auth-url
 oauth-client-id
 oauth-client-secret
 oauth-client-secret-passphrase-provider
 environment-id
 http-proxy-external-server
 user-mapping-local-attribute
 user-mapping-remote-json-field
 additional-user-mapping-scim-filter

Basic Properties

description

Description
A description for this Pass Through Authentication Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-local-entry-base-dn

Description
The base DNs for the local users whose authentication attempts may be passed through to the external authentication service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the external authentication service.
If no base DNs are specified, then only the associated pass-through authentication plugin's set of included local entry base DNs will be used.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

connection-criteria

Description
A reference to connection criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the external authentication service. If no connection criteria object is specified, then bind requests from any client may be passed through.
Default Value
None
Allowed Values
The DN of any Connection Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

request-criteria

Description
A reference to request criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the external authentication service. If no request criteria object is specified, then all bind requests may be passed through.
Default Value
None
Allowed Values
The DN of any Request Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

api-url

Description
Specifies the API endpoint for the PingOne web service.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

auth-url

Description
Specifies the API endpoint for the PingOne authentication service. The Auth URL can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. The necessary URL will be in the Configuration section as the Token Endpoint.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

oauth-client-id

Description
Specifies the OAuth Client ID used to authenticate connections to the PingOne API. The Client ID can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with Data Sync Server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

oauth-client-secret

Description
Specifies the OAuth Client Secret used to authenticate connections to the PingOne API. The Client Secret can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with the Directory Server.
Exactly one of the oauth-client-secret and oauth-client-secret-passphrase-provider properties must be specified.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

oauth-client-secret-passphrase-provider

Description
Specifies a passphrase provider that can be used to obtain the OAuth Client Secret used to authenticate connections to the PingOne API. The Client Secret can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with the Directory Server.
Exactly one of the oauth-client-secret and oauth-client-secret-passphrase-provider properties must be specified.
Default Value
None
Allowed Values
The DN of any Passphrase Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

environment-id

Description
Specifies the PingOne Environment that will be associated with this PingOne Pass Through Authentication Handler. The Environment ID can be found under the Settings tab in the PingOne Admin Console.
Default Value
None
Allowed Values
Environment ID must be in the format of a UUID v4.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

http-proxy-external-server

Description
A reference to an HTTP proxy server that should be used for requests sent to the PingOne service.
Default Value
No HTTP proxy server will be used.
Allowed Values
The DN of any HTTP Proxy External Server.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

user-mapping-local-attribute

Description
The names of the attributes in the local user entry whose values must match the values of the corresponding fields in the PingOne service. This property must have the same number of values as the user-mapping-remote-json-field property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property.
Only an entry that contains values for all of the listed attributes may be mapped to a user in the PingOne service. The search performed in the PingOne service must match exactly one account. If the search does not match any accounts, or if it matches multiple accounts, then the mapping will fail.
If multiple local attributes and PingOne fields are specified, then the search that the plugin performs in the PingOne service will be an AND across the corresponding PingOne fields.
If any of the listed attributes has multiple values then the search in the PingOne service will contain an OR of each of those values in the corresponding PingOne field.
Default Value
None
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

user-mapping-remote-json-field

Description
The names of the fields in the PingOne service whose values must match the values of the corresponding attributes in the local user entry, as specified in the user-mapping-local-attribute property. This property must have the same number of values as the user-mapping-local-attribute property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

additional-user-mapping-scim-filter

Description
An optional SCIM filter that will be ANDed with the filter created to identify the account in the PingOne service that corresponds to the local entry. Only the "eq", "sw", "and", and "or" filter types may be used.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Pass Through Authentication Handlers:

dsconfig list-pass-through-authentication-handlers
     [--property {propertyName}] ...

To view the configuration for an existing Pass Through Authentication Handler:

dsconfig get-pass-through-authentication-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Pass Through Authentication Handler:

dsconfig set-pass-through-authentication-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new PingOne Pass Through Authentication Handler:

dsconfig create-pass-through-authentication-handler
     --handler-name {name}
     --type ping-one
     --set api-url:{propertyValue}
     --set auth-url:{propertyValue}
     --set oauth-client-id:{propertyValue}
     --set environment-id:{propertyValue}
     --set user-mapping-local-attribute:{propertyValue}
     --set user-mapping-remote-json-field:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Pass Through Authentication Handler:

dsconfig delete-pass-through-authentication-handler
     --handler-name {name}