PingFederate x509 adapter

the x509 adapter requires an additional HTTPS port to be specified according to the installation instructions. Can someone explain why this is required?

In case PingFed is behind a load balancer, should the secondary port be configured in LB as well? Should I use a sticky session or a round robin strategy?

Thank you in advance


source to share

1 answer

Requires the use of a secondary HTTPS listener so that PF will only issue a challenge to the client for its X509 certificate when the PF needs to authenticate the user with the X509 adapter. If you want to make the specified configuration change to the primary HTTPS listener, then ALL client requests to PF (including protocol messages) will be required to request a valid client certificate for a transaction (hence the "NeedClientAuth = true" change).

If PF is behind LB, you need to add an additional HTTPS port to your configuration. However, it doesn't matter for the PF and X509 Kit as long as you have a sticky or round configuration.



All Articles