The HYPR Extension for PingFederate utilizes PingFederate as an Identity Provider (IdP). HYPR Integration Kit for PingFederate provides IdP Adapter as well Password Credential Validator (PCV). which enable users to authenticate using FIDO. Within the Intelligent Extension, the HYPR IdP Adapter serves as a platform to authenticate users either using FIDO keys stored on the mobile app or FIDO2 tokens, Password Credential Validator is used to authenticate users through FIDO using a mobile app whenever user interaction is not an option. After registering a device through Device Manager, a user can log into the specified Service Provider (SP) or get OAuth2.0 tokens by authenticating with Mobile App or FIDO2 tokens.
This HYPR Intelligent Extension for PingFederate is designed and supported for the Control Center, and compliant with the PingFederate SSO IdP Server. The HYPR Integration Kit is compliant with PingFederate v7.x and above releases. Refer to PingFederate documentation for the specific system requirements for the specific version of PingFederate being integrated as the target hosting platform for the HYPR Intelligent Extension.
The HYPR Intelligent Extension for PingFederate uses information from the PingFederate Administration Console. Configuration information will vary slightly among versions of PingFederate; however, the HYPR IdP Adapter & PCV configuration will be the same.
Contact HYPR support to acquire the Ping Federate HYPR Integration Kit
The distribution ZIP file for the HYPR Intelligent Extension contains the following items: • /legal – Contains legal documents
- Legal.pdf – Copyright and license information
- License_Agreement.pdf – Click-through agreement
• /docs – Contains the documentation needed to setup and use the HYPR IdP Adapter
- HYPR-Integration-Kit-ReleaseNotes.pdf – Release notes
- HYPR-Integration-Kit-UserGuide.pdf – This document
• /dist – Contains the libraries needed to implement the HYPR IdP Adapter
- pf.adapters.hypradapter.jar – HYPR IdP Adapter plug-in for PingFederate
• /dist/conf/language-packs – Contains the language support packs for user interfaces
- HYPR-messages.properties – English translation for out-of-the-box user templates
- HYPR-messages_es.properties – Spanish translation for out-of-the-box user templates • /dist/conf/template – Contains the velocity templates needed for user interfaces
- hypr.form.login.template.html – Login template
-hypr.field.presence.required.template.html - User Presence Required Verification
- hypr.form.customTransaction.template.html - Sample template that demonstrates using a custom transaction text feature.
• /dist/conf/template/assets/css – Contains the HYPR style sheet for velocity templates
- hypr.css – HYPR style sheet for velocity templates
- User attempts to access a protected web resource.
- User is redirected to PingFederate to authenticate.
- User enters Username to the PingFederate login page.
- HYPR IdP Adapter initiates authentication with the HYPR server.
- User uses biometric authentication to verify identity.
- HYPR mobile application sends authentication success response to server.
- HYPR server sends authentication success to PingFederate.
- PingFederate creates user login session.
- User is redirected to the protected web resource.
Integrating the HYPR IdP Adapter into a PingFederate server involves the following steps:
• Installing the HYPR IdP Adapter libraries, language packs, and templates onto a PingFederate server
• Configuring the HYPR IdP Adapter based on a specific use case
Perform the following steps to install the HYPR IdP Adapter:
Log in as an administrator to the PingFederate server.
Stop the PingFederate server if it is running.
Remove previous version of the HYPR Adapter from deploy directory
From the integration kit dist directory, copy the jar files and paste them into the specified PingFederate directory.
From the integration kit dist directory, copy the configuration files for language packs and templates, and paste them into the specified PingFederate directory. These files do not replace existing PingFederate configuration files; rather, they are used in addition to existing configuration files.
Start the PingFederate server.
Perform the following steps to configure PingFederate with the HYPR IdP Adapter:
- Open a web browser and log in to the PingFederate Administration Console.
- Within the console, select Adapters under IdP Configuration on the Main Menu.
(For more information about IdP Adapters, see the PingFederate Administrator’s Manual.)
- On the Manage IdP Adapter Instances screen, click [Create New Instance].
- On the Type screen, enter the following values:
Instance Name: Choose any name for identifying the adapter instance
Instance ID: Internal PingFederate ID that cannot contain spaces or non-alphanumeric characters Type: HYPR Adapter 1.0
- At the bottom of the Type screen, click [Next].
- On the IdP Adapter screen, click Add a new row to ‘Common Names for SP Entity IDs’. Select an SP entity ID. Provide an Application Name. Click Update.
(For information about how to set up a Data Store, see the PingFederate Administrator’s Manual.)
(For information about how to setup an SP connection, see the PingFederate Administrator’s Manual.)
- On the IdP Adapter screen, provide entries for each of the fields shown in the Table below.
|PingFederate Base URL||PingFederate Base URL no trailing "/"|
|HYPR Base URL||The base URL for the HYPR API. no trailing "/"|
|Application ID||The ID used to identify this application to the HYPR API.|
|Username Cookie Duration||The number of days the username cookie will remain active. A negative value indicates that the cookie will persist until the browser is shutdown.|
|User ID Field Name||The field name for the user ID that is returned from the preceding IdP adapter in a Composite Adapter or IdP policy that is used for user authentication. Examples include ‘username’ from an HTML Form Adapter or ‘subject’ from an OpenToken Adapter.|
|Auto Fail if Devices not Regisered||If no devices are registered, exit adapter with an error|
|Auto Submit If FIDO2 Devices not Registered||Auto Submit If FIDO2 Devices not Registered|
|Allow Username Edits||Allow Username Edits|
|HYPR Login Template||The HTML template (in |
|Adapter Integration Error Template||The HTML template (in |
|Presence Required Flag||Set this value if you require Post Mobile App confirmation processing to protect against Mobile Push attacks|
|Presence Required Field Template||Template name for Presenting user with confirmation options|
|Number of Strings||Number of options for user confirmation|
|Presence Confirmation Instruction||Transaction Text Instruction that user will receive on the mobile app|
|Default Transaction Text||Text to send to the user instead of a generic application Name|
|Override Action Id||Policy Name configured in HYPR for user authentication|
|Fake User Authentication||For users that are either not registered or not in the LDAP, fake that user is authenticating to prevent credential harversting|
|Support FIDO2||Check if you want to allow FIDO2|
|Allow External Authenticators||Check if you want to allow both platform and external authenticators|
|Display Cancel Option||Display Cancel Option: This will result in Adapter Exiting with an Error|
|LDAP Lookup Table||If want LDAP lookup as part of the Adapter, fill out Advanced Fields|
|LDAP Data Source||The LDAP data source used for retrieving HYPR unique user identifier|
|Base DN||Base DN|
|FIlter||Filter for searching for the right Entry in LDAP|
|Search Scope||Search Scope|
|HYPR Identifier Attribute Name||The name of the attribute that user is registered to HYPR with, any unique identifier, can be opaque|
|UserAccountControl Attribute Name||User Account Control attribute provides information on user status, and can be used in issuance criteria to deny access even is user authenticated.|
- At the bottom of the IdP Adapter screen, click [Next].
- On the Extended Contract screen, add any desired contract extensions, then click [Next].
- On the Adapter Attributes screen, select
usernameas the Pseudonym, then click [Next].
- On the Adapter Contract Mapping screen, configure any desired adapter contracts, then click [Next].
- On the Summary screen, verify that the information is correct, then click [Done].
- On the Manage IdP Adapter Instances screen, click [Save] to complete the adapter configuration.
file by adding
to the Loggers Section
Support for PingFederate 10.x added
PingFederate Base URL is now required to be entered in the Admin Console
Additional Debug Logs added
Cosmetic changes to HTML Form
Changed API endpoints to point to endpoints protected by access token
Added HYPR Password Credential Validator
Added optional autosubmit when adapter chaining
Added optional auto fail when chaining adapters
Added enable/disable username edits (useful when chaining adapters)
Added optional Cancel button to allow user to exit adapter with an error to skip to the next adapter in the policy.
Updated almost 2 years ago