PingFederate Plugin

Overview

The HYPR Extension for PingFederate utilizes PingFederate as an Identity Provider (IdP). HYPR Integration Kit for PingFederate provides IdP Adapter as well Password Credential Validator (PCV). which enable users to authenticate using FIDO. Within the Intelligent Extension, the HYPR IdP Adapter serves as a platform to authenticate users either using FIDO keys stored on the mobile app or FIDO2 tokens, Password Credential Validator is used to authenticate users through FIDO using a mobile app whenever user interaction is not an option. After registering a device through Device Manager, a user can log into the specified Service Provider (SP) or get OAuth2.0 tokens by authenticating with Mobile App or FIDO2 tokens.

System Requirements

This HYPR Intelligent Extension for PingFederate is designed and supported for the Control Center, and compliant with the PingFederate SSO IdP Server. The HYPR Integration Kit is compliant with PingFederate v7.x and above releases. Refer to PingFederate documentation for the specific system requirements for the specific version of PingFederate being integrated as the target hosting platform for the HYPR Intelligent Extension.

📘

The HYPR Intelligent Extension for PingFederate uses information from the PingFederate Administration Console. Configuration information will vary slightly among versions of PingFederate; however, the HYPR IdP Adapter & PCV configuration will be the same.

Contact HYPR support to acquire the Ping Federate HYPR Integration Kit

Zip Manifest

The distribution ZIP file for the HYPR Intelligent Extension contains the following items: • /legal – Contains legal documents

  • Legal.pdf – Copyright and license information
  • License_Agreement.pdf – Click-through agreement
    • /docs – Contains the documentation needed to setup and use the HYPR IdP Adapter
  • HYPR-Integration-Kit-ReleaseNotes.pdf – Release notes
  • HYPR-Integration-Kit-UserGuide.pdf – This document
    • /dist – Contains the libraries needed to implement the HYPR IdP Adapter
  • pf.adapters.hypradapter.jar – HYPR IdP Adapter plug-in for PingFederate
    • /dist/conf/language-packs – Contains the language support packs for user interfaces
  • HYPR-messages.properties – English translation for out-of-the-box user templates
  • HYPR-messages_es.properties – Spanish translation for out-of-the-box user templates • /dist/conf/template – Contains the velocity templates needed for user interfaces
  • hypr.form.login.template.html – Login template
    -hypr.field.presence.required.template.html - User Presence Required Verification
  • hypr.form.customTransaction.template.html - Sample template that demonstrates using a custom transaction text feature.

• /dist/conf/template/assets/css – Contains the HYPR style sheet for velocity templates

  • hypr.css – HYPR style sheet for velocity templates

Authentication Overview

  1. User attempts to access a protected web resource.
  2. User is redirected to PingFederate to authenticate.
  3. User enters Username to the PingFederate login page.
  4. HYPR IdP Adapter initiates authentication with the HYPR server.
  5. User uses biometric authentication to verify identity.
  6. HYPR mobile application sends authentication success response to server.
  7. HYPR server sends authentication success to PingFederate.
  8. PingFederate creates user login session.
  9. User is redirected to the protected web resource.

Installation and Setup

Integrating the HYPR IdP Adapter into a PingFederate server involves the following steps:
• Installing the HYPR IdP Adapter libraries, language packs, and templates onto a PingFederate server
• Configuring the HYPR IdP Adapter based on a specific use case

Installing the HYPR IdP Adapter

Perform the following steps to install the HYPR IdP Adapter:

  1. Log in as an administrator to the PingFederate server.

  2. Stop the PingFederate server if it is running.

  3. Remove previous version of the HYPR Adapter from deploy directory
    rm <PF-install>/server/default/deploy/pf.adapters.hypradapter*.jar

  4. From the integration kit dist directory, copy the jar files and paste them into the specified PingFederate directory.
    <PF-install>/server/default/deploy/pf.adapters.hypradapter-1.5.0.jar

  5. From the integration kit dist directory, copy the configuration files for language packs and templates, and paste them into the specified PingFederate directory. These files do not replace existing PingFederate configuration files; rather, they are used in addition to existing configuration files.
    <PF-install>/server/default/conf/language-packs/HYPR-messages.properties
    <PF-install>/server/default/conf/template/hypr.form.login.template.html
    <PF-install>/server/default/conf/template/hypr.form.register.template.html
    <PF-install>/server/default/conf/template/assets/css/hypr.css

  6. Start the PingFederate server.

Configuring the HYPR IdP Adapter

Perform the following steps to configure PingFederate with the HYPR IdP Adapter:

  1. Open a web browser and log in to the PingFederate Administration Console.
  2. Within the console, select Adapters under IdP Configuration on the Main Menu.
    (For more information about IdP Adapters, see the PingFederate Administrator’s Manual.)
  3. On the Manage IdP Adapter Instances screen, click [Create New Instance].
  4. On the Type screen, enter the following values:
    Instance Name: Choose any name for identifying the adapter instance
    Instance ID: Internal PingFederate ID that cannot contain spaces or non-alphanumeric characters Type: HYPR Adapter 1.0
  5. At the bottom of the Type screen, click [Next].
  6. On the IdP Adapter screen, click Add a new row to ‘Common Names for SP Entity IDs’. Select an SP entity ID. Provide an Application Name. Click Update.

📘

(For information about how to set up a Data Store, see the PingFederate Administrator’s Manual.)
http://documentation.pingidentity.com/display/PF/Administrator's+Manual

📘

(For information about how to setup an SP connection, see the PingFederate Administrator’s Manual.)
http://documentation.pingidentity.com/display/PF/Administrator's+Manual

  1. On the IdP Adapter screen, provide entries for each of the fields shown in the Table below.

Field Name

Description

PingFederate Base URL

PingFederate Base URL no trailing "/"

HYPR Base URL

The base URL for the HYPR API. no trailing "/"

Application ID

The ID used to identify this application to the HYPR API.

Username Cookie Duration

The number of days the username cookie will remain active. A negative value indicates that the cookie will persist until the browser is shutdown.

User ID Field Name

The field name for the user ID that is returned from the preceding IdP adapter in a Composite Adapter or IdP policy that is used for user authentication. Examples include ‘username’ from an HTML Form Adapter or ‘subject’ from an OpenToken Adapter.

Auto Fail if Devices not Regisered

If no devices are registered, exit adapter with an error

Auto Submit If FIDO2 Devices not Registered

Auto Submit If FIDO2 Devices not Registered

Allow Username Edits

Allow Username Edits

HYPR Login Template

The HTML template (in <PF-install>/server/default/conf/template ) to render for a login.

Adapter Integration Error Template

The HTML template (in <PF-install>/server/default/conf/template ) to render when an integration error occurs within the adapter. The default value of general.error.page.template.html is the PingFederate error template.

Presence Required Flag

Set this value if you require Post Mobile App confirmation processing to protect against Mobile Push attacks

Presence Required Field Template

Template name for Presenting user with confirmation options

Number of Strings

Number of options for user confirmation

Presence Confirmation Instruction

Transaction Text Instruction that user will receive on the mobile app

Default Transaction Text

Text to send to the user instead of a generic application Name

Override Action Id

Policy Name configured in HYPR for user authentication

Fake User Authentication

For users that are either not registered or not in the LDAP, fake that user is authenticating to prevent credential harversting

Support FIDO2

Check if you want to allow FIDO2

Allow External Authenticators

Check if you want to allow both platform and external authenticators

Display Cancel Option

Display Cancel Option: This will result in Adapter Exiting with an Error

LDAP Lookup Table

If want LDAP lookup as part of the Adapter, fill out Advanced Fields

LDAP Data Source

The LDAP data source used for retrieving HYPR unique user identifier

Base DN

Base DN

FIlter

Filter for searching for the right Entry in LDAP

Search Scope

Search Scope

HYPR Identifier Attribute Name

The name of the attribute that user is registered to HYPR with, any unique identifier, can be opaque

UserAccountControl Attribute Name

User Account Control attribute provides information on user status, and can be used in issuance criteria to deny access even is user authenticated.

  1. At the bottom of the IdP Adapter screen, click [Next].
  2. On the Extended Contract screen, add any desired contract extensions, then click [Next].
  3. On the Adapter Attributes screen, select username as the Pseudonym, then click [Next].
  4. On the Adapter Contract Mapping screen, configure any desired adapter contracts, then click [Next].
  5. On the Summary screen, verify that the information is correct, then click [Done].
  6. On the Manage IdP Adapter Instances screen, click [Save] to complete the adapter configuration.

Increasing Log Level

Modify
/pingfederate/server/default/conf/log42.xml
file by adding

or

to the Loggers Section

Release Notes

1.5.2.

TracerId added
Support for PingFederate 10.x added
PingFederate Base URL is now required to be entered in the Admin Console
Additional Debug Logs added
Cosmetic changes to HTML Form

6.6.0

Changed API endpoints to point to endpoints protected by access token
Added HYPR Password Credential Validator
Added optional autosubmit when adapter chaining
Added optional auto fail when chaining adapters
Added enable/disable username edits (useful when chaining adapters)
Added optional Cancel button to allow user to exit adapter with an error to skip to the next adapter in the policy.