Configuring PingOne as an OIDC provider for PingAuthorize
To improve security and ensure a consistent authentication experience across all enterprise applications, enable single sign-on (SSO) for the PingAuthorize Policy Editor using PingOne as an OIDC provider.
Components
-
PingOne
-
PingAuthorize 9.0 or later
Instructions and screenshots might differ slightly from other product versions. For the latest documentation, see PingOne documentation.
Before you begin
-
Confirm that PingOne is accessible from the subnet on which the Policy Editor is running.
-
Extract the Policy Editor distribution to your specified install location, with appropriate permissions set for write access, for example
/opt/PingAuthorize-PAP
.
Configuring PingOne for PingAuthorize policy administration
About this task
The following configuration allows PingOne to authorize external access to the PingAuthorize Policy Editor.
Steps
-
Sign on to PingOne and click your environment.
Choose from:
-
If you have an account, go to the URL for your environment. Each environment has a unique URL for signing in. It follows the format
https://console.pingone.com/?env=<environmentID>
. -
If you do not already have an account, create one at Try Ping for Free.
-
-
To create an application in PingOne to represent the PingAuthorize Policy Editor, go to Connections > Applications and click the icon.
-
Enter a name for the application, such as
PingAuthorize Policy Editor
. -
Optional: Enter a description and add an icon.
-
Click OIDC Web App, and then click Save.
-
On the Configuration tab, click the Pencil icon to edit the settings.
-
From the PKCE Enforcement list in the Grant Type section, select S256_REQUIRED.
-
In the Redirect URIs field, enter a redirect URL that follows the format
https://<pap.hostname:port>/idp-callback
. -
In the Token Endpoint Authentication Method section, click None.
-
Click Save.
-
On the Resources tab, click the pencil icon to edit the settings.
-
In the Scopes list, click the icon to add the email and profile scopes to the Allowed Scopes list.
-
Click Save.
-
To enable the application, click the toggle.
-
Copy the following IDs:
-
Client ID: To find the Client ID, go to the application’s Profile tab.
-
Environment ID: To find the Environment ID, click Environment in the left navigation pane.
You’ll need them when you configure the Policy Editor to use PingOne.
-
Configuring PingAuthorize policy administration to use PingOne
About this task
The following configuration enables the PingAuthorize Policy Editor to use PingOne for authentication.
Steps
-
Run the <PingAuthorize-PAP>
/bin/stop-server
command to stop the Policy Editor. -
Using the client ID and environment ID from Configuring PingOne for PingAuthorize policy administration, run the following command to configure the GUI:
bin/setup oidc \ --licenseKeyFile </path/to/{pingauthorize}.lic> \ --generateSelfSignedCertificate \ --hostname <pap-hostname> --port <pap-port> \ --adminPort <admin-port> \ --oidcBaseUrl https://auth.pingone.<regional-domain>/<environment-id>/as \ --clientId <client-id>
-
Run the
bin/start-server
command to start the PingAuthorize Policy Editor. -
Verify that you can sign on to the Policy Editor using the application you created in PingOne:
-
Go to the Policy Editor.
-
Click Click to Sign in.
Result:
Your browser redirects to the URL you set in Configuring PingOne for PingAuthorize policy administration.
By default, the logged-in username uses the
sub
JSON Web Token (JWT) claim for the OpenID Connect (OIDC) user ID. For information on using a non-default claim, see Changing the default JWT claim for the OIDC user ID.
-