Preparing to configure admin UI SSO authentication
About this task
Before you can configure admin UI SSO authentication, you must:
Steps
-
Configure the OIDC provider.
Choose from:
-
Import the OIDC token provider server certificate into a trusted certificate group and associate that trusted certificate group with the OIDC token provider runtime.
For more information, see Importing certificates.
-
If you’re using PingFederate as the OIDC token provider, set up a profile scope in PingFederate that includes the openid, profile, address, email, and phone scope values.
For more information, see Configuring an OAuth client in the PingFederate documentation.
-
When you configure the client in PingFederate:
-
The Client Authentication must be set to anything except
None
. -
The Allowed Grant Types must be set to
Authorization Code
. -
The Redirect URIs must include
https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb
. The default reserved application context root is/pa
. -
If you’re not using administrative roles in PingAccess, the OIDC Policy should be set to a policy that uses issuance criteria to restrict access based on some additional criteria.
If the OIDC policy you select doesn’t use issuance criteria to limit which users can be granted an access token, all users in the associated identity store configured in PingFederate can authenticate to the PingAccess administrative console and make changes.
For more information, see Identifying Issuance Criteria for Policy Mapping in the PingFederate Administrator’s Manual.
-
-
If you plan to use Mutual TLS, you must make two changes to the PingFederate configuration:
-
Enable the use of the secondary HTTPS port in PingFederate by editing the
<pf_install>/pingfederate/bin/run.properties
file and setting thepf.secondary.https.port
value to a port value. For more information, see the PingFederate documentation. -
Modify the
openid-configuration.template.json
file to add themtls_endpoint_aliases
object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
-
-