Agentless Integration Kit

Configuring certificate authentication

You can configure certificate authentication between your application and PingFederate.

Steps

  1. Check that the client certificate issuer is a trusted root certificate authority (CA) in PingFederate. If not, add the intermediate and root CA certificates.

    Learn more in Managing trusted certificate authorities in the PingFederate documentation.

  2. In PingFederate, export your signing certificate.

    1. On the PingFederate admin console, go to Security → Signing & Decryption Keys & Certificates.

    2. For the certificate that you want to use, in the Action column, click Export.

    3. On the Export Certificate screen, click Next.

    4. On the Export & Summary screen, click Export.

    5. Open the *.crt file in a text editor.

  3. Import your PingFederate signing certificate into your application.

    You can use OpenSSL to convert the PCKS12 certificate and key to PEM format. Use one of the following commands.

    PEM certificate only
     openssl pkcs12 -in  <certname>.p12-passin pass:<password>  -nokeys -out  <certname>.cert.pem
    PEM key only
     openssl pkcs12 -in  <certname>.p12 -passin pass:<password>  -nocerts -out  <certname>.key.pem
    PEM certificate and key
     openssl pkcs12 -in  <certname>.p12 -passin pass:<password>  -out  <certname>.certandkey.pem

  4. If you have already configured a Reference ID Adapter instance, update it by setting the Allowed Subject DN field, the Allowed Issuer DN field, or both to match the client certificate.

  5. Configure a second port for PingFederate to receive back-channel calls.

    1. Stop PingFederate.

    2. Open the <pf_install>/pingfederate/bin/run.properties file for editing.

    3. Change the value of the pf.secondary.https.port property to a valid port number, such as 9032.

      You can find information about this property in Configuring PingFederate properties in the PingFederate documentation.

    4. Save the file.

    5. Start PingFederate.

  6. Configure your application to send requests to the Reference ID Adapter endpoints using the back-channel port:

    POST https://pf.example.com:9032/ext/ref/dropoff HTTP/1.1
Content-Length: 20
Content-Type: application/json
ping.instanceId: sample_adapter

{
  "subject":"jsmith"
}

  7. Configure your application to send the client certificate with the request.

    Learn more about exporting your PingFederate certificate in Manage SSL server certificates in the PingFederate documentation.

    The following code uses PHP to send the client certificate:

    $client_cert = dirname(__FILE__).'/sample_cert.cert.pem';
$client_key = dirname(__FILE__).'/sample_cert.key.pem';
$client_key_password = ‘sample_key_password’;
$http_headers[] = 'ping.instanceId: '.$adapter_instance_id;

// PHP can use curl to make the HTTP calls to the pickup endpoint
$crl = curl_init();

// Dropoff URL
curl_setopt($crl, CURLOPT_URL, $dropoff_loc);
curl_setopt($crl, CURLOPT_SSLCERT, $client_cert);
curl_setopt($crl, CURLOPT_SSLKEYTYPE, 'PEM');
curl_setopt($crl, CURLOPT_SSLKEY, $client_key);
curl_setopt($crl, CURLOPT_SSLKEYPASSWD, $client_key_password);
...
$result = curl_exec($crl);