Multiple Adapters in Ping Federate

Question

I have configured multiple (HTTP Form Adapter) IdP Adapters for a SP connection (IdP configuration). User Attributes are fetched from the datastore (LDAP). Two DITs are configured in LDAP. Therefore each IdP Adapter is configured with a DIT. I wanted to use multiple adapters only because I cannot use same attribute names for multiple organizations.Eg : Adapter1 is configured with search base as dc=example1,dc=com and Adapter2 is configured with search base as dc=example2,dc=com.

When the IdP SSO url is hit, it displays a page for adapter selection.When the user enters the username/password, based on the inputs, adapter selection should be enabled automatically instead of selecting it manually/appending the particular adapter id as a query parameter.

I found that automatic adapter selection can be enabled using Adapter selector. But the existing adapters such as CIDR and saml authn context adapter doesn't apply to my requirement. Because it is either based on the request IP address/context set by SP. I have gone through the composite adapter. But I couldn't find detailed documentation on integrating the composite adapter with the SP connection.

Could anyone please let me know if my approach is right? If so please direct me on integration.If wrong, suggest me an approach.

Thanks, Aswini J

Answer 1

you can simply use multiple data source. Configure the filter of the other Data source form the unique value of first Data source. ex : uid=${userId} .

Answer 2

I think you can do this 1 of two ways. You can do this with 1 Adapter with 2 PCV or 2 Adapters (each with 1 PCV) that are then combined into a single Composite Adapter that are then used in your SP Connection if your goal is to remove the Idp Adapter selection decision.

The issue you will run into is if users are logging in with the equivalent of "uid=joe" to your HTMLForm Adapter and "uid=joe" exists in both of your LDAP suffix. How do you know which "joe" is the right one? You may need to ensure that login identifier is unique (email?). However, that is merely how you can setup your user authentication. It won't really help you for your Attribute Contract Fulfillment where you'll need to search both LDAP suffix of your single Data Source to retrieve the user's attributes (e.g., telephoneNumber).

You'll need to specify "Retrieve additional attributes from multiple data stores using one mapping" on the Assertion Mapping screen and then do a lookup against both suffix of your single Data Source for "telephoneNumber". Assuming the user's identity attribute you are searching on is unique across both suffix (email?) you'll get a null value against one or the other suffix searches (since the user will exist in one or the other).

When you get to your Attribute Contract Fulfillment screen, you'll need to map the attribute "phone no" for your Assertion to an Expression that inspects the results from the 2 Data Source lookups, discards the "null" result for telephoneNumber and inserts the valid search result.