X.509

X.509 Certificate IdP Adapter settings reference

Field descriptions for the X.509 Certificate IdP Adapter configuration screen.

Standard fields
Field Description

Client Auth Port

The port that PingFederate uses to validate client certificates. Enter the port number that you chose in Deploying the integration files.

This field is blank by default.

Client Auth Hostname

The PingFederate hostname that is configured to use client-certificate authentication.

This field is blank by default.

Parse Client Cert Subject and Issuer DNS

When enabled, the subject and issuer distinguished names (DN) in the client certificate are treated as separate attributes. This allows you to do the following:

  • Add subject or issuer DN attributes, such as CN or UID, to the adapter’s extended contract.

  • Use the subject DN email attribute in the adapter’s core contract.

  • Use Object-Graph Navigation Language (OGNL) expressions to extract other information from the X.509 certificate, as shown in Sample OGNL expressions.

This checkbox is selected by default.

Match Issuer DN In Client Cert Subject And Issuer DNs

Determines how PingFederate validates the issuer distinguished name (DN) for the client certificate.

When selected, the issuer DN is matched against the entries that are defined in the Constrain Acceptable Root Issuers section.

When cleared, the issuer DN is matched against the default top-level certificate in the chain that is presented by the client.

This checkbox is cleared by default.
Advanced fields
Field Description

Return Success On SLO

When enabled, a success message is sent in response when the adapter receives a single logout (SLO) request.

SLO is not supported by this adapter and the user session is not terminated. This feature only prevents other sites from experiencing an SLO failure.

Learn more in Known issues and limitations.

This checkbox is selected by default.

Authentication Context

The value used to populate the Authentication Context field in the SAML token that PingFederate sends after validating the X.509 certificate.

Default

Sets the value to TLSClient.

Policy OID

Sets the value to the identifier for the policy.

Custom

Sets the value based on the value you enter in the Custom Authentication Context field.

Custom Authentication Context

The value used to populate the Authentication Context field in the SAML token. Applies when Authentication Context is set to Custom.

This field is blank by default.

Include Subject Alternative Name (SAN)

When enabled, the adapter includes the following decoded SAN attributes from the X.509 certificate and makes them available in the attribute contract:

  • userPrincipalName

  • RFC822Name

  • fascn_sen

  • fascn_wo_sen

  • fascn_hex

This checkbox is cleared by default.

Skip Redirect

When enabled, the adapter does not redirect back from the Client Auth Port and Client Auth Hostname.

This checkbox is cleared by default.

Version 1.3.2 of the adapter introduced the ability to redirect back from the Client Auth Port and Client Auth Hostname as default behavior.