Configuring a proxied PingFederate runtime

About this task

Configure a secure connection to the proxied PingFederate runtime in PingAccess:

Steps

Click Settings and then go to System > Token Provider > PingFederate > Runtime.
Click Proxied Token Provider (PingFederate Runtime Application).
In the Primary Virtual Host field, enter the virtual host to use for the PingFederate application.

If you haven’t created the virtual host, click Create. For more information, see Creating new virtual hosts.

This virtual host is used by default for front-channel redirects to the PingFederate token provider when an application-specific OpenID Connect (OIDC) issuer isn’t defined.
Optional: In the Additional Virtual Hosts field, enter one or more virtual hosts that can be used for the PingFederate application.

If you haven’t created the virtual host, click Create. For more information, see Creating new virtual hosts.
In the Targets field, enter a hostname:port pair used to access the PingFederate runtime servers.

Click Add Target to add additional Targets fields.
In the Secure section, click Yes if the PingFederate runtime expects HTTPS connections.
In the Trusted Certificate Group list, select the certificate group the PingFederate certificate is in.

This field is available only if you select Yes in step 6.
In the Availability Profile list, select the availability profile that the PingFederate runtime should use.

To create a new availability profile, click Create.
To record requests to PingFederate to the audit store, select the Audit check box.

This check box is selected by default.

Optional: To configure advanced settings, click Show Advanced.

Option	Description
Context Root	Enter the first part of the URL path for the PingFederate application and its resources. The context root must begin with a slash. It can contain additional slashes, but cannot end with one. It must match the path defined by the base URL in PingFederate.
Case Sensitive	Select this check box to make the context root and resource path matching case sensitive.
Client Certificate Header Name	In this section, click Add Client Certificate Header Name and enter one or more header names to which PingAccess should map client certificates found in the request. The position of the header name in the list correlates to the index in the client certificate chain, with the first header mapped to the leaf certificate.
Policy	In this section, add one or more rules, rule sets, or rule set groups to run when making requests to the PingFederate runtime. Click Rules, Rule Sets, or Rule Set Groups, then drag one or more selections from the Available column to the Selected Policy column. Valid rule types are Groovy script, cross-origin request, and rewrite rules. Create new rules, rule sets, or rule set groups by clicking Create Rule, Create Rule Set, or Create Rule Set Group.
Load Balancing Strategy	In this list, select a load balancing strategy to use for requests to the PingFederate runtime. If you specify multiple target servers for a proxied PingFederate runtime but don’t apply a load balancing strategy, PingAccessuses the first target server in the list until it fails. Secondary target servers are only used if the first target server is not available. PingAccess uses the Failed Retry Timeout from the runtime’s availability profile settings to determine when to mark the first target server as available again.
Expected Certificate Hostname	Enter the host name expected in the certificate. If this field isn’t specified, certificates are verified using the target host names.
Skip Hostname Verification	Click to stop the backchannel servers from performing host name verification of the certificate.
Use Proxy	Click to make backchannel requests to PingFederate use the proxy configured on the PingAccess nodes.
Use Single-Logout	Click to enable single logout if it’s configured for the OpenID Provider (OP).

Option

Description

Context Root

Enter the first part of the URL path for the PingFederate application and its resources.

The context root must begin with a slash. It can contain additional slashes, but cannot end with one. It must match the path defined by the base URL in PingFederate.

Case Sensitive

Select this check box to make the context root and resource path matching case sensitive.

Client Certificate Header Name

In this section, click Add Client Certificate Header Name and enter one or more header names to which PingAccess should map client certificates found in the request.

The position of the header name in the list correlates to the index in the client certificate chain, with the first header mapped to the leaf certificate.

Policy

In this section, add one or more rules, rule sets, or rule set groups to run when making requests to the PingFederate runtime.

Click Rules, Rule Sets, or Rule Set Groups, then drag one or more selections from the Available column to the Selected Policy column.

Valid rule types are Groovy script, cross-origin request, and rewrite rules.
Create new rules, rule sets, or rule set groups by clicking Create Rule, Create Rule Set, or Create Rule Set Group.

Load Balancing Strategy

In this list, select a load balancing strategy to use for requests to the PingFederate runtime.

If you specify multiple target servers for a proxied PingFederate runtime but don’t apply a load balancing strategy, PingAccessuses the first target server in the list until it fails. Secondary target servers are only used if the first target server is not available.

PingAccess uses the Failed Retry Timeout from the runtime’s availability profile settings to determine when to mark the first target server as available again.

Expected Certificate Hostname

Enter the host name expected in the certificate.

If this field isn’t specified, certificates are verified using the target host names.

Skip Hostname Verification

Click to stop the backchannel servers from performing host name verification of the certificate.

Use Proxy

Click to make backchannel requests to PingFederate use the proxy configured on the PingAccess nodes.

Use Single-Logout

Click to enable single logout if it’s configured for the OpenID Provider (OP).

Click Save.

Saving a new PingFederate runtime configuration overwrites any existing PingFederate runtime configuration.

Result

After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can’t be made, a warning displays in the admin console, and the PingFederate runtime won’t save.

Next steps

After you save this configuration and perform the steps in Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager.

After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.