PingAccess

Configuring PingFederate for PingAccess SSO

Configure PingFederate to enable administrator single sign-on (SSO) for PingAccess.

Before you begin

You must do one of the following:

About this task

To enable administrator SSO to PingAccess, configure the following settings within the PingFederate OAuth authorization server (OAuth AS).

This document doesn’t cover all the required steps for each PingFederate OAuth settings page, only the fields that are necessary for successful SSO to the PingAccess administrative console.

For more detailed configuration information on the PingFederate OAuth settings pages, see Using OAuth Menu Selections.

Steps

  1. In PingFederate, go to System → Server → Protocol Settings → Roles and Protocols and configure the following roles and protocols:

    1. Select the OAuth 2.0 AS federation role and the OpenID Connect (OIDC) protocol as described in step 2 of Choosing roles and protocols.

    2. Select the IdP Provider federation role and a corresponding protocol as described in step 2 of Choosing roles and protocols.

  2. Create a Password Credential Validator (PCV) to authenticate administrative users.

  3. On the IdP Adapters page, create an HTML Form IdP Adapter and specify the PCV that you configured in step 2 of this procedure.

    For more information, see Configuring an HTML Form Adapter instance.

  4. On the Authorization Server Settings page, select the Implicit check box in the Reuse Existing Persistent Access Grants for Grant Types section.

    For more information, see Configuring authorization server settings.

  5. Configure access token management:

    1. Go to Access Token Management → Type and in the Type list, select Internally Managed Reference Tokens.

    2. On the Access Token Attribute Contract page, add the Username attribute to extend the contract.

    For more information, see Access token management.

  6. Configure OpenID Connect Policy Management.

    Create an OIDC policy to use specifically for PingAccess administrative console authentication.

    For more information, see Configuring OpenID Connect policies.

    1. On the Attribute Contract tab, delete all of the attributes that appear in the Extend the Contract section.

      The only required attribute is sub.

    2. On the Contract Fulfillment tab, in the Source list, select Access Token, and in the Value list, select Username.

  7. Configure Client Management.

    Create a client to use specifically for PingAccess administrative console authentication.

    For more information, see Managing OAuth clients.

    1. In the Client Authentication list, select an option other than None.

    2. Add the location of the PingAccess host as a Redirection URI.

      For example, https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb.

    3. In the Allowed Grant Type list, select Authorization Code.

    4. In the ID Token Signing Algorithm list, select one of the elliptic curve (ECDSA) algorithms, and in the Policy list, select the OIDC policy to use for PingAccess administrative console authentication.

  8. To configure IdP Adapter Mapping, map the HTML Form IdP Adapter Username value to the USER_KEY and the USER_NAME contract attributes for the persistent grant and the user’s display name on the authorization page, respectively.

    For more information, see Managing IdP adapter grant mapping.

  9. To configure Access Token Mapping, on the Contract Fulfillment tab, map values into the token attribute contract for the Username attribute:

    1. In the Source list, select Persistent Grant.

    2. In the Value list, select USER_KEY.

    These are the attributes included or referenced in the access token. For more information, see Managing access token mappings.

Next steps

To finish configuring administrator SSO, see Configuring admin UI SSO authentication.