PingOne Pass Through Authentication Plugin

The PingOne Pass Through Authentication Plugin provides the ability for a local user to authenticate with a password from an account in the PingOne service. Depending on the configuration, the authentication may be attempted only in the PingOne service, or it may be attempted locally first and only forwarded to the PingOne service if the local attempt fails. Only simple bind operations are supported.

Only one instance of this plugin may be active in the server at any time. It cannot be used in conjunction with other pass-through authentication plugins, including the original LDAP pass-through authentication plugin, another instance of the PingOne pass-through authentication plugin, or the pluggable pass-through authentication plugin. If you need multiple types of pass-through authentication active in the server at one time, use the pluggable pass-through authentication plugin with the aggregate pass-through authentication handler.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The PingOne Pass Through Authentication Plugin component inherits from the Plugin

Relations from This Component

The following components have a direct aggregation relation from PingOne Pass Through Authentication Plugins:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  invoke-for-internal-operations
 enabled
 api-url
 auth-url
 oauth-client-id
 oauth-client-secret
 oauth-client-secret-passphrase-provider
 environment-id
 http-proxy-external-server
 included-local-entry-base-dn
 connection-criteria
 request-criteria
 try-local-bind
 override-local-password
 update-local-password
 update-local-password-dn
 allow-lax-pass-through-authentication-passwords
 ignored-password-policy-state-error-condition
 user-mapping-local-attribute
 user-mapping-remote-json-field
 additional-user-mapping-scim-filter

Basic Properties

description

Description
A description for this Plugin
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the plug-in is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

api-url

Description
Specifies the API endpoint for the PingOne web service.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

auth-url

Description
Specifies the API endpoint for the PingOne authentication service. The Auth URL can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with Data Sync Server. The necessary URL will be in the Configuration section as the Token Endpoint.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

oauth-client-id

Description
Specifies the OAuth Client ID used to authenticate connections to the PingOne API. The Client ID can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with Data Sync Server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

oauth-client-secret

Description
Specifies the OAuth Client Secret used to authenticate connections to the PingOne API. The Client Secret can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with the Directory Server.
Exactly one of the oauth-client-secret and oauth-client-secret-passphrase-provider properties must be specified.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

oauth-client-secret-passphrase-provider

Description
Specifies a passphrase provider that can be used to obtain the OAuth Client Secret used to authenticate connections to the PingOne API. The Client Secret can be found under the Connections tab in the PingOne Admin Console. Specifically, it is within the Application configured for use with the Directory Server.
Exactly one of the oauth-client-secret and oauth-client-secret-passphrase-provider properties must be specified.
Default Value
None
Allowed Values
The DN of any Passphrase Provider.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

environment-id

Description
Specifies the PingOne Environment that will be associated with this PingOne Pass Through Authentication Plugin. The Environment ID can be found under the Settings tab in the PingOne Admin Console.
Default Value
None
Allowed Values
Environment ID must be in the format of a UUID v4.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

http-proxy-external-server

Description
A reference to an HTTP proxy server that should be used for requests sent to the PingOne service.
Default Value
No HTTP proxy server will be used.
Allowed Values
The DN of any HTTP Proxy External Server.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-local-entry-base-dn

Description
The base DNs for the local users whose authentication attempts may be passed through to the PingOne service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the PingOne service.
If no base DNs are specified, then all public naming contexts will be used as the default set of base DNs.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

connection-criteria

Description
A reference to connection criteria that will be used to indicate which bind requests should be passed through to the PingOne service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the PingOne service. If no connection criteria object is specified, then bind requests from any client may be passed through.
Default Value
None
Allowed Values
The DN of any Connection Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

request-criteria

Description
A reference to request criteria that will be used to indicate which bind requests should be passed through to the PingOne service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the PingOne service. If no request criteria object is specified, then all bind requests may be passed through.
Default Value
None
Allowed Values
The DN of any Request Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

try-local-bind

Description
Indicates whether to attempt the bind in the local server first, or to only send it to the PingOne service. If this property has a value of true, then the bind operation will first be processed locally, and will only forward the authentication attempt to the PingOne service if the local bind fails. If this property has a value of false, then the authentication will only be attempted in the PingOne service.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

override-local-password

Description
Indicates whether to attempt the authentication in the PingOne service if the local user entry includes a password. This property will only be used if try-local-bind is true. If this property has a value of false, then authentication attempts will only be forwarded to the PingOne service for users who don't have a local password, and bind attempts for users with a local password will only be attempted locally. If this property has a value of true, then authentication attempts will be forwarded to the PingOne service if the local attempt fails, even if the local entry has a password.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

update-local-password

Description
Indicates whether to overwrite the user's local password if the local bind fails but the authentication attempt succeeds when attempted in the PingOne service. This property is only used if the try-local-bind property has a value of true.
If update-local-password is true, the local bind attempt fails, and the PingOne authentication attempt succeeds, then the local entry will be updated to set the user's password to the provided bind password. The local password will not be altered if the PingOne authentication attempt fails. The property 'update-local-password-dn' should also be set to a DN, if passwords are bidirectionally synchronized between the PingOne service and the Directory Server.
If update-local-password is false, the local bind attempt fails, and the PingOne authentication attempt succeeds, then the LDAP bind operation will still be considered a success, but the user's local password will not be altered.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

update-local-password-dn

Description
This is the DN of the user that will be used to overwrite the user's local password if update-local-password is set. The DN put here should be added to 'ignore-changes-by-dn' in the appropriate Sync Source. This value should be used if Sync is configured to synchronize password changes from Ping DirectoryServer to the PingOne service and Sync is configured to wipe out the password in Ping DirectoryServer if it detects the password has changed on the PingOne service. In this case, when changing the password on the PingOne service, the password will be wiped in the Directory Server, so on the next authentication attempt to the Directory Server, the bind will be passed to PingOne, and if the PingOne Pass Through Authentication plugin updates the password in the local Directory Server, the change may be synchronized to the PingOne service, which can cause the password to be wiped out again in the Directory Server.
With this property, the password wouldn't need to be wiped. The PingOne Pass Through Authentication plugin would update the password as the DN used in this property, and then if Sync is configured to ignore changes by the user with this DN, the password change wouldn't be synchronized to the PingOne service after the bind, which would avoid the password being wiped in the Directory Server.
The account used for this property must have access control permission to update the passwords for any users that may use pass-through authentication (or the bypass-acl privilege), and it must also have the password-reset privilege.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allow-lax-pass-through-authentication-passwords

Description
Indicates whether to overwrite the user's local password even if the password used to authenticate to the PingOne service would have failed validation if the user attempted to set it directly. This property is only used if the try-local-bind and update-local-password properties both have values of true.
If this property has a value of true, the local bind attempt fails, and the authentication attempt to PingOne succeeds, then the local password will be overwritten regardless of whether it would have passed the validation requirements of the user's password policy.
If this property has a value of false, the local bind attempt fails, and the authentication attempt to PingOne succeeds, then the local password will be overwritten only if it satisfies the requirements for all password validators in the user's password policy. In that case, if the password from PingOne does not meet local password policy constraints, then the bind attempt will fail.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

ignored-password-policy-state-error-condition

Description
A set of password policy state error conditions that should not be enforced when authentication succeeds when attempted in the PingOne service. This option can only be used if try-local-bind is true.
Default Value
None
Allowed Values
temporarily-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne service even if their account is currently temporarily locked after too many failed authentication attempts. If this value is absent, then a user whose account is temporarily locked will not be permitted to authenticate until the lockout period expires, until the user's local password is reset by an administrator, or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

permanently-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne service even if their account is currently permanently locked after too many failed authentication attempts. If this value is absent, then a user whose account is permanently locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

locked-due-to-idle-interval - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne service even if their account is locked because it has been unused for too long. If this value is absent, then a user whose account is idle-locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

locked-due-to-maximum-reset-age - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne service even if their account is locked because their password was reset by an administrator but they failed to choose a new password in a timely manner. If this value is absent, then a user whose account is reset-locked will not be permitted to authenticate until their local password is again reset by an administrator or until the administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

locked-due-to-validation-failure - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne service even if their account is locked because their password did not satisfy all of the configured password validators. If this value is absent, then a user whose account is validation-locked will not be permitted to authenticate until their local password is reset or until an administrator manually unlocks the account with the manage-account tool or the password policy state extended operation.

password-is-expired - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the PingOne service even if their local password is expired. If this value is absent, then a user whose password is expired will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually resets the password changed time with the manage-account tool or the password policy state extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

user-mapping-local-attribute

Description
The names of the attributes in the local user entry whose values must match the values of the corresponding fields in the PingOne service. This property must have the same number of values as the user-mapping-remote-json-field property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property.
Only an entry that contains values for all of the listed attributes may be mapped to a user in the PingOne service. The search performed in the PingOne service must match exactly one account. If the search does not match any accounts, or if it matches multiple accounts, then the mapping will fail.
If multiple local attributes and PingOne fields are specified, then the search that the plugin performs in the PingOne service will be an AND across the corresponding PingOne fields.
If any of the listed attributes has multiple values then the search in the PingOne service will contain an OR of each of those values in the corresponding PingOne field.
Default Value
None
Allowed Values
The name or OID of an attribute type defined in the server schema.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

user-mapping-remote-json-field

Description
The names of the fields in the PingOne service whose values must match the values of the corresponding attributes in the local user entry, as specified in the user-mapping-local-attribute property. This property must have the same number of values as the user-mapping-local-attribute property, and the order of the values in the user-mapping-local-attribute property must correspond to the order of values in the user-mapping-remote-json-field property.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

additional-user-mapping-scim-filter

Description
An optional SCIM filter that will be ANDed with the filter created to identify the account in the PingOne service that corresponds to the local entry. Only the "eq", "sw", "and", and "or" filter types may be used.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

invoke-for-internal-operations (Advanced Property)

Description
Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Plugins:

dsconfig list-plugins
     [--property {propertyName}] ...

To view the configuration for an existing Plugin:

dsconfig get-plugin-prop
     --plugin-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Plugin:

dsconfig set-plugin-prop
     --plugin-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new PingOne Pass Through Authentication Plugin:

dsconfig create-plugin
     --plugin-name {name}
     --type ping-one-pass-through-authentication
     --set enabled:{propertyValue}
     --set api-url:{propertyValue}
     --set auth-url:{propertyValue}
     --set oauth-client-id:{propertyValue}
     --set environment-id:{propertyValue}
     --set user-mapping-local-attribute:{propertyValue}
     --set user-mapping-remote-json-field:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Plugin:

dsconfig delete-plugin
     --plugin-name {name}