PingAuthorize

Example: Set up the PingAuthorize Policy Editor in OIDC mode (self-governance)

This example sets up the PingAuthorize Policy Editor with self-governance and OIDC authentication.

For more information about configuring OIDC authentication, see the OIDC mode (generic) tab on this page.

Self-governance is not supported in clustered Policy Editor configurations.

To enable self-governance with OIDC authentication, use the following arguments:

--enableSelfGovernance (required)

Turns on the self-governance functionality.

--selfGovernanceSystemUser (required)

Sets the self-governance administrator username for OIDC authentication.

--apiHttpCacheTtl (optional)

Sets the time-to-live value (in seconds) for the HTTP cache, after which the cache is refreshed and a new self-governance check is performed. This value must be 1 or greater.

If you don’t specify a value, the Policy Editor uses the default time-to-live of 60 seconds.

The following example sets up the Policy Editor to use PingOne for OIDC authentication, enables self-governance, and specifies an OIDC username for the self-governance administrator:

$ bin/setup oidc \
--hostname localhost \
--port 9443 \
--adminPort  <admin-port>  \
--oidcBaseUrl https://auth.pingone.com/<my-environment-id>/as \
--clientId  <my-client-id>  \
--generateSelfSignedCertificate \
--enableSelfGovernance \
--selfGovernanceSystemUsername  <oidc-authenticated-user>