feat(pingidentity): add PingFederate auth provider

Signed-off-by: Jessica He <jhe@redhat.com>

Author: JessicaJHee

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/.eslintrc.js

@@ -0,0 +1 @@
+module.exports = require('@backstage/cli/config/eslint-factory')(__dirname);

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/README.md

@@ -0,0 +1,185 @@
+# Auth Module: PingFederate Provider
+
+This module provides a PingFederate auth provider implementation for `@backstage/plugin-auth-backend`.
+
+The provider uses OIDC authentication and includes PingFederate-specific sign-in resolvers for matching users via LDAP UUID and Ping Identity user IDs.
+
+> **Note:** This provider has only been tested with LDAP catalog provider (`@backstage/plugin-catalog-backend-module-ldap`). It has not been tested with the PingOne catalog provider (`@backstage-community/plugin-catalog-backend-module-pingidentity`), though it should work with appropriate resolver configuration.
+
+## Installation
+
+```bash
+yarn add --cwd packages/backend @backstage-community/plugin-auth-backend-module-pingfederate-provider
+```
+
+## Configuration
+
+> **Important:** You must configure at least one sign-in resolver. There is no default resolver - the `resolver` field is mandatory.
+
+Add the following to your `app-config.yaml`:
+
+```yaml
+auth:
+  environment: development
+  providers:
+    pingfederate:
+      development:
+        # Base URL of your PingFederate server (without the .well-known path)
+        baseUrl: ${PINGFEDERATE_BASE_URL} # e.g., https://your-pingfederate-server.com
+        clientId: ${PINGFEDERATE_CLIENT_ID}
+        clientSecret: ${PINGFEDERATE_CLIENT_SECRET}
+        signIn:
+          resolvers:
+            # Resolver is required - choose one that matches your catalog setup:
+
+            # Option 1: Match LDAP UUID annotation
+            - resolver: ldapUuidMatchingAnnotation
+              ldapUuidKey: 'ldap_uuid' # optional, defaults to 'ldap_uuid'
+
+
+            # Option 2: Match Ping Identity user ID annotation
+            # - resolver: subClaimMatchingPingIdentityUserId
+
+            # Option 3: Match email local part to user entity name
+            # - resolver: emailLocalPartMatchingUserEntityName
+```
+
+### Optional Configuration
+
+You can customize the provider behavior with additional configuration options:
+
+```yaml
+auth:
+  providers:
+    pingfederate:
+      development:
+        baseUrl: ${PINGFEDERATE_BASE_URL}
+        clientId: ${PINGFEDERATE_CLIENT_ID}
+        clientSecret: ${PINGFEDERATE_CLIENT_SECRET}
+
+        # Optional: Request additional scopes beyond the default openid, profile, email
+        additionalScopes:
+          - offline_access
+        # Or as a single string:
+        # additionalScopes: offline_access
+
+        # Optional: Control the authentication prompt behavior
+        # 'none' (default) - SSO if session exists, 'login' - force login, 'auto' - let provider decide
+        prompt: none
+
+        # Optional: Override the callback URL if different from the default
+        # callbackUrl: https://backstage.example.com/api/auth/pingfederate/handler/frame
+
+        signIn:
+          resolvers:
+            - resolver: ldapUuidMatchingAnnotation
+```
+
+## Register the Provider
+
+Add the following to your `packages/backend/src/index.ts`:
+
+```typescript
+const backend = createBackend();
+backend.add(
+  import(
+    '@backstage-community/plugin-auth-backend-module-pingfederate-provider'
+  ),
+);
+```
+
+## Available Sign-In Resolvers
+
+You must configure at least one resolver in your `app-config.yaml`. Choose the resolver that matches your catalog setup and identity provider configuration.
+
+### PingFederate-Specific Resolvers
+
+- **`ldapUuidMatchingAnnotation`** - Matches an LDAP UUID claim to the `backstage.io/ldap-uuid` annotation
+
+  - Configuration options:
+    - `ldapUuidKey` (optional, default: `'ldap_uuid'`) - The claim name containing the LDAP UUID
+    - `dangerouslyAllowSignInWithoutUserInCatalog` (optional) - Allow sign-in even if user is not in catalog
+  - Validates that the UUID in userinfo matches the UUID in the ID token
+  - **Requires PingFederate LDAP UUID configuration** (see setup instructions below)
+
+- **`subClaimMatchingPingIdentityUserId`** - Matches the `sub` claim to the `pingidentity.org/id` annotation
+  - Configuration options:
+    - `dangerouslyAllowSignInWithoutUserInCatalog` (optional) - Allow sign-in even if user is not in catalog
+  - Best for PingOne catalog provider integration
+  - Validates that the `sub` claim in userinfo matches the `sub` in the ID token
+
+#### PingFederate Configuration for LDAP UUID Resolver
+
+The `ldapUuidMatchingAnnotation` resolver requires PingFederate to be configured to expose the LDAP UUID attribute. Follow these steps:
+
+**1. Configure Authentication Policy Contract**
+
+1. Create a contract named `rhdh-contract`
+2. Add Attribute Source: Link your LDAP Data Store to this contract
+3. Set Search Filter: Use `sAMAccountName=${username}` (or appropriate filter for your LDAP)
+4. Expose the LDAP UUID attribute under the Authentication Policy Contract Mapping
+5. For Active Directory, add the UUID field called `objectGUID` (note: UUID attribute name varies by LDAP vendor)
+6. Set Encoding type to `Hex` from the dropdown
+7. Enter search filter as needed (e.g., `sAMAccountName=${username}`)
+
+**2. Map UUID to Sub Claim**
+
+Under Contract Fulfillment, map `sub` to the objectGUID from LDAP:
+
+1. From Source dropdown, select `Expression`
+2. Enter the following OGNL expression to format the LDAP UUID as expected by Backstage:
+
+```java
+#GUID = #this.get("ds.<ldap-data-source-id>.objectGUID").toString(),
+#GUID.substring(6,8) + #GUID.substring(4,6) + #GUID.substring(2,4) + #GUID.substring(0,2) + "-" +
+#GUID.substring(10,12) + #GUID.substring(8,10) + "-" +
+#GUID.substring(14,16) + #GUID.substring(12,14) + "-" +
+#GUID.substring(16,20) + "-" + #GUID.substring(20,32)
+```
+
+Replace `<ldap-data-source-id>` with your actual LDAP data source ID.
+
+**3. Configure OAuth & OIDC Scopes**
+
+1. Navigate to **System > OAuth Scopes**
+2. Ensure `email` and `profile` are added as Common Scopes
+
+**4. Bridge Contract to OIDC Policy**
+
+Use the Access Token as a bridge to ensure the `sub` claim is delivered consistently:
+
+1. **Access Token Mapping**: Create a mapping from `rhdh-contract` to your Access Token Manager. Map the `sub` field from the contract to the token.
+2. **OIDC Policy Fulfillment**: In your OIDC Policy, fulfill the `sub` claim by selecting Access Token as the source and `sub` as the value.
+3. **Enable Delivery**: In the OIDC Policy Attribute Contract, ensure the ID Token and UserInfo checkboxes are selected for the `sub` claim.
+
+**5. (Optional) Expose UUID under `ldap_uuid` claim in UserInfo**
+
+If you want the UUID available under a custom `ldap_uuid` claim in UserInfo (instead of the default `sub` claim):
+
+1. Under **OIDC Policy Attribute Contract**:
+   - Extend the contract with `ldap_uuid` under Attribute Contract
+   - Under Contract Fulfillment, map `ldap_uuid` to the UUID value via Access Token
+
+Then configure your Backstage auth to use:
+
+```yaml
+signIn:
+  resolvers:
+    - resolver: ldapUuidMatchingAnnotation
+      ldapUuidKey: 'ldap_uuid' # Custom claim name
+```
+
+### Common Resolvers
+
+- **`emailLocalPartMatchingUserEntityName`** - Matches the local part of the email to the user entity name
+  - Configuration options:
+    - `allowedDomains` (optional) - Restrict sign-in to specific email domains
+    - `dangerouslyAllowSignInWithoutUserInCatalog` (optional) - Allow sign-in even if user is not in catalog
+- **`emailMatchingUserEntityProfileEmail`** - Matches the email to the user entity's email
+  - Configuration options:
+    - `dangerouslyAllowSignInWithoutUserInCatalog` (optional) - Allow sign-in even if user is not in catalog
+
+## Links
+
+- [Repository](https://github.com/backstage/community-plugins/tree/main/workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider)
+- [Backstage Project Homepage](https://backstage.io)

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/catalog-info.yaml

@@ -0,0 +1,10 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: backstage-community-plugin-auth-backend-module-pingfederate-provider
+  title: '@backstage-community/plugin-auth-backend-module-pingfederate-provider'
+  description: The PingFederate provider backend module for the auth plugin.
+spec:
+  lifecycle: experimental
+  type: backstage-backend-plugin-module
+  owner: maintainers

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/config.d.ts

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2026 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { HumanDuration } from '@backstage/types';
+
+export interface Config {
+  auth?: {
+    providers?: {
+      /** @visibility frontend */
+      pingfederate?: {
+        [authEnv: string]: {
+          clientId: string;
+          /**
+           * @visibility secret
+           */
+          clientSecret: string;
+          baseUrl: string;
+          callbackUrl?: string;
+          additionalScopes?: string | string[];
+          prompt?: string;
+          signIn?: {
+            resolvers: Array<
+              | {
+                  resolver: 'emailLocalPartMatchingUserEntityName';
+                  allowedDomains?: string[];
+                  dangerouslyAllowSignInWithoutUserInCatalog?: boolean;
+                }
+              | {
+                  resolver: 'emailMatchingUserEntityProfileEmail';
+                  dangerouslyAllowSignInWithoutUserInCatalog?: boolean;
+                }
+              | {
+                  resolver: 'ldapUuidMatchingAnnotation';
+                  dangerouslyAllowSignInWithoutUserInCatalog?: boolean;
+                  ldapUuidKey?: string;
+                }
+              | {
+                  resolver: 'subClaimMatchingPingIdentityUserId';
+                  dangerouslyAllowSignInWithoutUserInCatalog?: boolean;
+                }
+            >;
+          };
+          sessionDuration?: HumanDuration | string;
+        };
+      };
+    };
+  };
+}

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/dev/index.ts

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2023 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { createBackend } from '@backstage/backend-defaults';
+
+const backend = createBackend();
+
+backend.add(import('@backstage/plugin-auth-backend'));
+backend.add(import('../src'));
+
+backend.start();

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/knip-report.md

@@ -0,0 +1,8 @@
+# Knip report
+
+## Unused dependencies (1)
+
+| Name             | Location          | Severity |
+| :--------------- | :---------------- | :------- |
+| @backstage/types | package.json:36:6 | error    |
+

workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "@backstage-community/plugin-auth-backend-module-pingfederate-provider",
+  "description": "The PingFederate provider backend module for the auth plugin.",
+  "version": "0.0.0",
+  "main": "src/index.ts",
+  "types": "src/index.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/backstage/community-plugins",
+    "directory": "workspaces/pingidentity/plugins/auth-backend-module-pingfederate-provider"
+  },
+  "backstage": {
+    "role": "backend-plugin-module",
+    "pluginId": "auth",
+    "pluginPackage": "@backstage/plugin-auth-backend"
+  },
+  "scripts": {
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "clean": "backstage-cli package clean",
+    "prepack": "backstage-cli package prepack",
+    "tsc": "tsc"
+  },
+  "dependencies": {
+    "@backstage/backend-plugin-api": "^1.8.0",
+    "@backstage/config": "^1.3.6",
+    "@backstage/plugin-auth-node": "^0.7.0",
+    "@backstage/types": "^1.2.2",
+    "express": "^4.22.0",
+    "jose": "^5.0.0",
+    "openid-client": "^5.5.0",
+    "zod": "^3.25.76 || ^4.0.0"
+  },
+  "devDependencies": {
+    "@backstage/backend-defaults": "^0.16.0",
+    "@backstage/backend-test-utils": "^1.11.1",
+    "@backstage/cli": "^0.36.0",
+    "@backstage/plugin-auth-backend": "^0.27.3",
+    "@types/supertest": "^6.0.0",
+    "msw": "^1.3.1",
+    "supertest": "^7.0.0"
+  },
+  "files": [
+    "dist",
+    "config.d.ts"
+  ],
+  "configSchema": "config.d.ts"
+}