Configuring a standard PingFederate runtime (original workflow)
About this task
If you’ve upgraded your PingAccess deployment from version 5.2 or earlier with an existing token provider configuration and haven’t configured a token provider using the /pingfederate/runtime
API endpoint, use this workflow to configure a PingFederate runtime.
Steps
-
Click Settings and then go to System → Token Provider → PingFederate → Runtime.
-
Select Standard Token Provider.
-
In the Host field, enter the PingFederate runtime host name or the IP address for the PingFederate runtime.
-
In the Port field, enter the PingFederate runtime port number.
-
Optional: In the Base Path field, enter the base path for the PingFederate runtime.
The base path must start with a slash, such as
/federation
. -
Select the Audit Level check box to log information about the transaction to the audit store.
PingAccess audit logs record a selected subset of transaction log information at runtime and are located in the
/logs
directory of your PingAccess installation. -
In the Secure section, select Yes if PingFederate is expecting HTTPS connections.
-
In the Trusted Certificate Group list, select the certificate group that the PingFederate certificate is in.
This field is available only if you select Yes in step 7.
-
Click Show Advanced and configure the advanced settings:
-
Click Add Back Channel Server.
-
In the Back Channel Servers list, enter one or more
<hostname:port>
pairs. -
If the backchannel uses HTTPS, enable the Back Channel Secure option.
This option is available after you define at least one backchannel server.
-
If the backchannel uses an alternate base path, enter the path in the Back Channel Base Path field.
-
If host name verification for secure connections isn’t required for either the runtime or the backchannel servers, enable the Skip Hostname Verification option.
-
If host name verification is required, enter the host name that PingAccess should expect in the Expected Hostname field.
-
To use a configured proxy for backchannel requests, select the Use Proxy check box.
If the node is not configured with a proxy, requests are made directly to PingFederate. For more information about creating proxies, see Adding proxies.
-
Select Use Single-Logout to enable single logout (SLO).
To use this feature, SLO must be configured on the OpenID Connect (OIDC) provider.
-
-
Click Save.
Result
After you save the PingFederate runtime connection, PingAccess tests the connection to PingFederate. If the connection can’t be made, a warning displays in the admin console, and the PingFederate runtime won’t save.
Next steps
After you save this configuration and perform the steps in Configuring OAuth resource servers, a PingFederate access validator is available for selection when you define OAuth-type rules in the policy manager.
After you configure the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click Refresh Metadata.