Agentless Integration Kit

Configuring certificate authentication

You can configure certificate authentication between your application and PingFederate.

Steps

  1. Check that the client certificate issuer is a trusted root certificate authority (CA) in PingFederate. If not, add the intermediate and root CA certificates.

    For help, see Managing trusted certificate authorities in the PingFederate documentation.

  2. In PingFederate, export your signing certificate.

    1. On the PingFederate admin console, go to Security → Signing & Decryption Keys & Certificates.

    2. For the certificate that you want to use, in the Action column, click Export.

    3. On the Export Certificate screen, click Next.

    4. On the Export & Summary screen, click Export.

    5. Open the *.crt file in a text editor.

  3. Import your PingFederatesigning certificate into your application.

    You can use OpenSSL to convert the PCKS12 certificate and key to PEM format. Use one of the following commands.

    PEM certificate only
     openssl pkcs12 -in  <certname>.p12-passin pass:<password>  -nokeys -out  <certname>.cert.pem
    PEM key only
     openssl pkcs12 -in  <certname>.p12 -passin pass:<password>  -nocerts -out  <certname>.key.pem
    PEM certificate and key
     openssl pkcs12 -in  <certname>.p12 -passin pass:<password>  -out  <certname>.certandkey.pem
  4. If you have already configured a Reference ID Adapter instance, update it by setting the Allowed Subject DN field, the Allowed Issuer DN field, or both to match the client certificate.

  5. Configure a second port for PingFederateto receive back-channel calls.

    1. Stop PingFederate.

    2. Open the <pf_install>/pingfederate/bin/run.properties file for editing.

    3. Change the value of the pf.secondary.https.port property to a valid port number, such as 9032.

      For information about this property, see Configuring PingFederate properties in the PingFederate documentation.

    4. Save the file.

    5. Start PingFederate.

  6. Configure your application to send requests to the Reference ID Adapter endpoints using the back-channel port:

    POST https://pf.example.com:9032/ext/ref/dropoff HTTP/1.1
    Content-Length: 20
    Content-Type: application/json
    ping.instanceId: sample_adapter
    
    {
      "subject":"jsmith"
    }
  7. Configure your application to send the client certificate with the request.

    For help exporting your PingFederatecertificate, see Manage SSL server certificates in the PingFederate documentation.

    The following code uses PHP to send the client certificate:

    $client_cert = dirname(__FILE__).'/sample_cert.cert.pem';
    $client_key = dirname(__FILE__).'/sample_cert.key.pem';
    $client_key_password = ‘sample_key_password’;
    $http_headers[] = 'ping.instanceId: '.$adapter_instance_id;
    
    // PHP can use curl to make the HTTP calls to the pickup endpoint
    $crl = curl_init();
    
    // Dropoff URL
    curl_setopt($crl, CURLOPT_URL, $dropoff_loc);
    curl_setopt($crl, CURLOPT_SSLCERT, $client_cert);
    curl_setopt($crl, CURLOPT_SSLKEYTYPE, 'PEM');
    curl_setopt($crl, CURLOPT_SSLKEY, $client_key);
    curl_setopt($crl, CURLOPT_SSLKEYPASSWD, $client_key_password);
    ...
    $result = curl_exec($crl);