Product
Hosting Environment
Operating System
Capability
Task Type
Draft Beta
Close

Ping Identity Solution Guides

Updated 80

Add to MyDocs | Hide Show Table of Contents

Table of Contents

Connecting PingFederate to PingAccess using the OIDC protocol

Published: February 22, 2019

Components

  • PingFederate (Version 9.1.4)

  • PingAccess (Version 5.1.2)

Note: This use case was developed with the specified product versions. With more recent product versions, the general workflow should apply although specific menu options and screens might differ.

Before you begin

  • Verify that PingFederate and PingAccess are installed and running.

  • Have an application that you want to protect by using PingAccess.

Follow these steps to authenticate between PingFederate and PingAccess using the OpenID Connect (OIDC) protocol.

Workflow as described in text.
Note: The following steps call out only those parts of your configuration that relate specifically to setting up the connection between the products through the OIDC protocol. They do not detail every possible variation of PingFederate and PingAccess interactions.
  1. Log in to your PingFederate administration console.
  2. In PingFederate, complete the following steps to connect OAuth 2.0 and OpenID Connect with PingAccess.
    1. Enable OAuth 2.0 and OpenID Connect as described in Enable the OAuth AS role. Go to Server ConfigurationServer SettingsRoles & Protocols and select Enable OAuth 2.0 Authorization Server (AS) Role and OpenID Connect.
    2. Set up your IdP adapters for PingAccess. Detailed steps differ by deployment. For general instructions, see Manage IdP adapters.
    3. Configure scope values and scope descriptions for OAuth Authorization Server settings as described in Configure AS settings.

      Go to OAuth ServerScope Management, add the following scope values and scope descriptions in the Common Scopes section, and click Save.

      Scope Value Scope Description
      address address
      email email
      openid openid
      phone phone
      profile profile
      Tip: In the Default Scopes section, add a default scope description that would be useful for your environment.
    4. Configure access token management for OAuth Authorization Server settings as described in Configure AS settings.

      Go to OAuth ServerAccess Token ManagementCreate New Instance, provide the following values, and click Save on the Summary page.

      Table contains parameters and suggested values for the OAuth server access token management.
      Parameter Value
      Instance Name GeneralAccessToken
      Instance ID GeneralAccessToken
      Type Internally Managed Reference Tokens
      Instance Configuration Accept the defaults.
      Session Validation
      Access Token Attribute Contract UserName
      Resource URIs Accept the defaults.
      Access Control Accept the defaults.
    5. Configure your OpenID Connect policy as described in Configure OpenID Connect policies. Go to OAuth ServerOpenID Connect Policy ManagementAdd Policy, provide the following values, and click Save.
      Parameter Value
      Policy ID OIDC
      Name OIDC
      Access Token Manager GeneralAccessToken
      Attribute Contract Accept the defaults.
      Attribute Sources & Lookup Accept the defaults.
      Contract Fulfillment Attribute Contract sub
      Contract Fulfillment Source Access Token
      Issuance Criteria Accept the defaults.
    6. Configure a PingAccess Resource Server OAuth client as described in Configure an OAuth Client.

      Go to OAuth ServerClient ManagementAdd Client, provide the following values, and click Save.

      Parameter Value
      Client ID pa_rs
      Name PingAccess Resource Server
      Client Secret

      Generate a unique client secret.

      Tip: Although you can manually enter a client secret, allowing PingFederate to generate the secret provides better security.
      Allowed Grant Types Access Token Validation (Client is a Resource Server)
      All other parameters Accept the defaults.
    7. Configure a PingAccess Web Management OAuth client as described in Configure an OAuth Client.

      Go to OAuth ServerClient ManagementAdd Client again, provide the following values, and click Save.

      Parameter Value
      Client ID pa_wam
      Name PingAccess Web Management
      Client Authentication

      The client secret that you generated for the PingAccess Resource Server should fill in automatically.

      Redirection URI

      https://<PA_HOST>:<PA_USER_PORT>/pa/oidc/cb

      Bypass Authorization Approval Bypass
      Allowed Grant Types Authorization Code
      All other parameters Accept the defaults.
    8. Verify all client settings and click Save on the Client Management page.
    9. Configure your IdP adapters to work with OAuth as described in Manage IdP adapter grant mapping.

      Go to OAuth ServerIdP Adapter Mapping, provide the following values and click Save on the Summary page.

      Parameter Value
      Source Adapter Instance Select the HTML Form adapter or adapters that you want to use for PingAccess.
      Attribute Sources & User Lookup

      For each adapter, accept the defaults.

      Contract Fulfillment For each adapter, select the adapter as your source and set your unique identifiers for USER_KEY and USER_NAME.
      Issuance Criteria Accept the defaults.
    10. Map your address tokens for OAuth as described in Manage access token mappings.

      Go to OAuth ServerAccess Token MappingContextDefaultAccess Token ManagerGeneralAccessToken, and click Add Mapping.

      Parameter Value
      Attribute Sources & User Lookup

      Accept the defaults.

      Contract Fulfillment For the username, select Persistent Grant as your source and set the value as USER_KEY.
      Issuance Criteria Accept the defaults.
      Tip: When you have completed these settings, verify them on the Summary page and click Save.
    11. Export the SSL certificate to use for connecting securely with PingAccess as described in Manage SSL server certificates.
  3. Log in to your PingAccess admin console to configure PingAccess to protect a web application.
    1. Add your PingFederate server certificate under Trusted Certificate Groups as described in Import certificates and create a trusted certificate group.
    2. Configure PingFederate runtime settings as described in Configure the token provider.

      Go to SettingsSystemToken ProviderRuntime and provide the following values.

      Parameter Value
      Host Provide your PingFederate host name.
      Port Provide your PingFederate port number.
      Secure Yes
      Trusted Certificate Group Select the group to which you added your PingFederate certificate.
      All other parameters Accept the defaults.
    3. Configure PingFederate administration settings as described in Configure the token provider.

      Go to SettingsSystemToken ProviderAdministration and provide the following values.

      Parameter Value
      Host Provide your PingFederate host name.
      Port Provide your PingFederate port number.
      Admin Username Provide the login name for your PingFederate administrator.
      Admin Password Provide the password for your PingFederate administrator.
      Secure Yes
      Trusted Certificate Group Select the group to which you added your PingFederate certificate.
      All other parameters Accept the defaults.
    4. Configure PingFederate OAuth server settings as described in Configure the token provider.

      Go to SettingsSystemToken ProviderOAuthResource Server and provide the following values.

      Parameter Value
      Client ID pa_rs
      Client Secret Provide your client secret.
      Subject Attribute Name UserName
      All other parameters Accept the defaults.
    5. Go to MainSitesSites to add a site for PingAccess to protect. Detailed steps differ by deployment. For general instructions, see Create a site.
    6. Add an identity mapping for your site as described in Create a new identity mapping.

      Go to SettingsAccessIdentity MappingsAdd Identity Mappings and provide the following values.

      Parameter Value
      Name Provide a name for the identity mapping.
      Type Choose Header Identity Mapping, and create a sub Attribute with a header name of X-USER.
      All other parameters Accept the defaults.
    7. Add a web session for your site as described in Create a Web Session.

      Go to SettingsAccessWeb SessionsAdd Web Session and provide the following values.

      Parameter Value
      Name Provide a name for your web session.
      Cookie Type Encrypted JWT
      Audience global
      OpenID Connect Login Type Code
      Client ID pa_wam
      Client Secret Provide your organization's client secret.
      All other parameters Accept the defaults.
    8. Add an application to protect within the site as described in Add an application. Go to MainApplicationsAdd Application and add your application and resources as needed..
      Tip: Enable your application at the bottom of the page.
  4. In a web browser, test your application. Access your application behind PingAccess (for example, https://localhost:3000/APP_NAME). You should be redirected to PingFederate to authenticate, and be able to access the application.
  5. Add header printing to your application to verify that your application has access to the data that PingAccess is sending.

    Detailed steps differ by application and programming language. The following code samples illustrate header printing for the specified programming languages.

    Language Sample Header Code
    Java
    http://www.java2s.com/Tutorial/Java/0360__JSP/PrintoutHTTPRequestHeaders.htm
    C#
    
    https://msdn.microsoft.com/en-us/library/system.net.httpwebresponse.getresponseheader(v=vs.110).aspx
    PHP
    http://php.net/manual/en/function.headers-list.php
    
    Drupal
    https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drupal_get_http_header/7.x
    
  6. Remove any local login to your application because your application is now behind PingAccess. Detailed steps differ by application and programming language.
  7. Configure your application to use headers for login. Detailed steps differ by application and programming language.