Configuring PingFederate for PingAccess SSO
Configure PingFederate to enable administrator single sign-on (SSO) for PingAccess.
Before you begin
You must do one of the following:
About this task
To enable administrator SSO to PingAccess, configure the following settings within the PingFederate OAuth authorization server (OAuth AS).
This document doesn’t cover all the required steps for each PingFederate OAuth settings page, only the fields that are necessary for successful SSO to the PingAccess administrative console. For more detailed configuration information on the PingFederate OAuth settings pages, see Using OAuth Menu Selections. |
Steps
-
In PingFederate, go to System → Server → Protocol Settings → Roles and Protocols and configure the following roles and protocols:
-
Select the OAuth 2.0 AS federation role and the OpenID Connect (OIDC) protocol as described in step 2 of Choosing roles and protocols.
-
Select the IdP Provider federation role and a corresponding protocol as described in step 2 of Choosing roles and protocols.
-
-
Create a Password Credential Validator (PCV) to authenticate administrative users.
For more information, see Configuring the Simple Username Password Credential Validator.
-
On the IdP Adapters page, create an HTML Form IdP Adapter and specify the PCV that you configured in step 2 of this procedure.
For more information, see Configuring an HTML Form Adapter instance.
-
On the Authorization Server Settings page, select the Implicit check box in the Reuse Existing Persistent Access Grants for Grant Types section.
For more information, see Configuring authorization server settings.
-
Configure access token management:
-
Go to Access Token Management → Type and in the Type list, select Internally Managed Reference Tokens.
-
On the Access Token Attribute Contract page, add the
Username
attribute to extend the contract.
For more information, see Access token management.
-
-
Configure OpenID Connect Policy Management.
Create an OIDC policy to use specifically for PingAccess administrative console authentication.
For more information, see Configuring OpenID Connect policies.
-
On the Attribute Contract tab, delete all of the attributes that appear in the Extend the Contract section.
The only required attribute is
sub
. -
On the Contract Fulfillment tab, in the Source list, select Access Token, and in the Value list, select Username.
-
-
Configure Client Management.
Create a client to use specifically for PingAccess administrative console authentication.
For more information, see Managing OAuth Clients.
-
In the Client Authentication list, select an option other than None.
-
Add the location of the PingAccess host as a Redirection URI.
For example,
https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb
. -
In the Allowed Grant Type list, select Authorization Code.
-
In the ID Token Signing Algorithm list, select one of the elliptic curve (ECDSA) algorithms, and in the Policy list, select the OIDC policy to use for PingAccess administrative console authentication.
-
-
To configure IdP Adapter Mapping, map the HTML Form IdP Adapter Username value to the
USER_KEY
and theUSER_NAME
contract attributes for the persistent grant and the user’s display name on the authorization page, respectively.For more information, see Managing IdP adapter grant mapping.
-
To configure Access Token Mapping, on the Contract Fulfillment tab, map values into the token attribute contract for the
Username
attribute:-
In the Source list, select Persistent Grant.
-
In the Value list, select USER_KEY.
These are the attributes included or referenced in the access token.
For more information, see Managing access token mappings.
-
Next steps
To finish configuring administrator SSO, see Configuring admin UI SSO authentication.