PingFederate Plugin


The HYPR Extension for PingFederate utilizes PingFederate as an Identity Provider (IdP). HYPR Integration Kit for PingFederate provides IdP Adapter as well Password Credential Validator (PCV). which enable users to authenticate using FIDO. Within the Intelligent Extension, the HYPR IdP Adapter serves as a platform to authenticate users either using FIDO keys stored on the mobile app or FIDO2 tokens, Password Credential Validator is used to authenticate users through FIDO using a mobile app whenever user interaction is not an option. After registering a device through Device Manager, a user can log into the specified Service Provider (SP) or get OAuth2.0 tokens by authenticating with Mobile App or FIDO2 tokens.

System Requirements

This HYPR Intelligent Extension for PingFederate is designed and supported for the Control Center, and compliant with the PingFederate SSO IdP Server. The HYPR Integration Kit is compliant with PingFederate v7.x and above releases. Refer to PingFederate documentation for the specific system requirements for the specific version of PingFederate being integrated as the target hosting platform for the HYPR Intelligent Extension.


The HYPR Intelligent Extension for PingFederate uses information from the PingFederate Administration Console. Configuration information will vary slightly among versions of PingFederate; however, the HYPR IdP Adapter & PCV configuration will be the same.

Contact HYPR support to acquire the Ping Federate HYPR Integration Kit

Zip Manifest

The distribution ZIP file for the HYPR Intelligent Extension contains the following items: • /legal – Contains legal documents

  • Legal.pdf – Copyright and license information
  • License_Agreement.pdf – Click-through agreement
    • /docs – Contains the documentation needed to setup and use the HYPR IdP Adapter
  • HYPR-Integration-Kit-ReleaseNotes.pdf – Release notes
  • HYPR-Integration-Kit-UserGuide.pdf – This document
    • /dist – Contains the libraries needed to implement the HYPR IdP Adapter
  • pf.adapters.hypradapter.jar – HYPR IdP Adapter plug-in for PingFederate
    • /dist/conf/language-packs – Contains the language support packs for user interfaces
  • – English translation for out-of-the-box user templates
  • – Spanish translation for out-of-the-box user templates • /dist/conf/template – Contains the velocity templates needed for user interfaces
  • hypr.form.login.template.html – Login template
    -hypr.field.presence.required.template.html - User Presence Required Verification
  • hypr.form.customTransaction.template.html - Sample template that demonstrates using a custom transaction text feature.

• /dist/conf/template/assets/css – Contains the HYPR style sheet for velocity templates

  • hypr.css – HYPR style sheet for velocity templates

Authentication Overview

  1. User attempts to access a protected web resource.
  2. User is redirected to PingFederate to authenticate.
  3. User enters Username to the PingFederate login page.
  4. HYPR IdP Adapter initiates authentication with the HYPR server.
  5. User uses biometric authentication to verify identity.
  6. HYPR mobile application sends authentication success response to server.
  7. HYPR server sends authentication success to PingFederate.
  8. PingFederate creates user login session.
  9. User is redirected to the protected web resource.

Installation and Setup

Integrating the HYPR IdP Adapter into a PingFederate server involves the following steps:
• Installing the HYPR IdP Adapter libraries, language packs, and templates onto a PingFederate server
• Configuring the HYPR IdP Adapter based on a specific use case

Installing the HYPR IdP Adapter

Perform the following steps to install the HYPR IdP Adapter:

  1. Log in as an administrator to the PingFederate server.

  2. Stop the PingFederate server if it is running.

  3. Remove previous version of the HYPR Adapter from deploy directory
    rm <PF-install>/server/default/deploy/pf.adapters.hypradapter*.jar

  4. From the integration kit dist directory, copy the jar files and paste them into the specified PingFederate directory.

  5. From the integration kit dist directory, copy the configuration files for language packs and templates, and paste them into the specified PingFederate directory. These files do not replace existing PingFederate configuration files; rather, they are used in addition to existing configuration files.

  6. Start the PingFederate server.

Configuring the HYPR IdP Adapter

Perform the following steps to configure PingFederate with the HYPR IdP Adapter:

  1. Open a web browser and log in to the PingFederate Administration Console.
  2. Within the console, select Adapters under IdP Configuration on the Main Menu.
    (For more information about IdP Adapters, see the PingFederate Administrator’s Manual.)
  3. On the Manage IdP Adapter Instances screen, click [Create New Instance].
  4. On the Type screen, enter the following values:
    Instance Name: Choose any name for identifying the adapter instance
    Instance ID: Internal PingFederate ID that cannot contain spaces or non-alphanumeric characters Type: HYPR Adapter 1.0
  5. At the bottom of the Type screen, click [Next].
  6. On the IdP Adapter screen, click Add a new row to ‘Common Names for SP Entity IDs’. Select an SP entity ID. Provide an Application Name. Click Update.


(For information about how to set up a Data Store, see the PingFederate Administrator’s Manual.)'s+Manual


(For information about how to setup an SP connection, see the PingFederate Administrator’s Manual.)'s+Manual

  1. On the IdP Adapter screen, provide entries for each of the fields shown in the Table below.
Field NameDescription
PingFederate Base URLPingFederate Base URL no trailing "/"
HYPR Base URLThe base URL for the HYPR API. no trailing "/"
Application IDThe ID used to identify this application to the HYPR API.
Username Cookie DurationThe number of days the username cookie will remain active. A negative value indicates that the cookie will persist until the browser is shutdown.
User ID Field NameThe field name for the user ID that is returned from the preceding IdP adapter in a Composite Adapter or IdP policy that is used for user authentication. Examples include ‘username’ from an HTML Form Adapter or ‘subject’ from an OpenToken Adapter.
Auto Fail if Devices not RegiseredIf no devices are registered, exit adapter with an error
Auto Submit If FIDO2 Devices not RegisteredAuto Submit If FIDO2 Devices not Registered
Allow Username EditsAllow Username Edits
HYPR Login TemplateThe HTML template (in <PF-install>/server/default/conf/template ) to render for a login.
Adapter Integration Error TemplateThe HTML template (in <PF-install>/server/default/conf/template ) to render when an integration error occurs within the adapter. The default value of is the PingFederate error template.
Presence Required FlagSet this value if you require Post Mobile App confirmation processing to protect against Mobile Push attacks
Presence Required Field TemplateTemplate name for Presenting user with confirmation options
Number of StringsNumber of options for user confirmation
Presence Confirmation InstructionTransaction Text Instruction that user will receive on the mobile app
Default Transaction TextText to send to the user instead of a generic application Name
Override Action IdPolicy Name configured in HYPR for user authentication
Fake User AuthenticationFor users that are either not registered or not in the LDAP, fake that user is authenticating to prevent credential harversting
Support FIDO2Check if you want to allow FIDO2
Allow External AuthenticatorsCheck if you want to allow both platform and external authenticators
Display Cancel OptionDisplay Cancel Option: This will result in Adapter Exiting with an Error
LDAP Lookup TableIf want LDAP lookup as part of the Adapter, fill out Advanced Fields
LDAP Data SourceThe LDAP data source used for retrieving HYPR unique user identifier
Base DNBase DN
FIlterFilter for searching for the right Entry in LDAP
Search ScopeSearch Scope
HYPR Identifier Attribute NameThe name of the attribute that user is registered to HYPR with, any unique identifier, can be opaque
UserAccountControl Attribute NameUser Account Control attribute provides information on user status, and can be used in issuance criteria to deny access even is user authenticated.
  1. At the bottom of the IdP Adapter screen, click [Next].
  2. On the Extended Contract screen, add any desired contract extensions, then click [Next].
  3. On the Adapter Attributes screen, select username as the Pseudonym, then click [Next].
  4. On the Adapter Contract Mapping screen, configure any desired adapter contracts, then click [Next].
  5. On the Summary screen, verify that the information is correct, then click [Done].
  6. On the Manage IdP Adapter Instances screen, click [Save] to complete the adapter configuration.

Increasing Log Level

file by adding


to the Loggers Section

Release Notes


TracerId added
Support for PingFederate 10.x added
PingFederate Base URL is now required to be entered in the Admin Console
Additional Debug Logs added
Cosmetic changes to HTML Form


Changed API endpoints to point to endpoints protected by access token
Added HYPR Password Credential Validator
Added optional autosubmit when adapter chaining
Added optional auto fail when chaining adapters
Added enable/disable username edits (useful when chaining adapters)
Added optional Cancel button to allow user to exit adapter with an error to skip to the next adapter in the policy.