Configuring PingFederate for PingAuthorize

Configure PingFederate to authorize external access through tokens to the PingAuthorize Policy Editor.

About this task

You can also use PingAccess to authorize external access through rules. See Rule Creation in PingAccess for information.

The following example configuration assumes that any authenticated user can access the PingAuthorize Policy Editor. To limit access to members of a specific group, see Configuring PingFederate group access for PingAuthorize.

Steps

In the PingFederate administration console, go to System → Data & Credential Stores → Data Stores.
Click Add New Data Store.
On the Data Store Type tab, in the Name field, enter a name for the data store.
From the Type list, select Directory (LDAP), and then click Next.
On the LDAP Configuration tab, enter the address and authentication information for PingFederate to use when accessing PingDirectory, and then click Next.
On the Summary tab, review your configuration and click Save.
Go to Authentication → Policies → Sessions and enable authentication sessions. The following example enables authentication sessions for all sources. Make the appropriate change for your environment, and then click Save.
Go to Security → Certificate & Key Management → SSL Client Keys & Certificates and import your JWT signing certificate. Click Save.

PingFederate expects the certificate chain and keys to be encoded in PKCS12 format.
Configure your OAuth server using the OpenID Connect protocol.
1. Go to System → OAuth Settings → Scope Management and create scopes.
2. In the Scope Value field, enter the email, openid, and profile scopes, clicking Add after each entry. Click Save.
3. Go to Applications → OAuth → Access Token Management and click Create New Instance.
4. On the Type tab, from the Type list, select JSON Web Tokens. From the Parent Instance list, select None. Click Next.
5. On the Instance Configuration tab, click Add a new row to 'Certificates' and add the previously imported signing certificate. Select the desired signing algorithm and token timeout, and then click Next.
6. On the Session Validation tab, enable the session validation options.
7. On the Access Token Attribute Contract tab, add the attributes to be included in the OAuth access token. This example extends the contract with cn, email, scope, sub, and uid attributes.
8. Click Next until you reach the Summary tab, and then click Save. Accept the default values for the Resources URIs and Access Control settings.
9. Go to Applications → OAuth → Access Token Mappings to create an Access Token Mapping in the Default context for the Access Token Manager you just created. Click Add Mapping, and then click Add Attribute Source.
10. From the Active Data Store list, select the PingDirectory data store that you created in step 2. Click Next.
11. On the LDAP Directory Search tab, in the Base DN field, enter the base DN for the PingDirectory data that provides your identities.
12. In the Attributes to return from search section, click Add Attribute and enter the attributes to be retrieved.
  
  The sample data uses ou=People,dc=example,dc=com and the configuration shown in the following image retrieves the cn, mail, and uid attributes.
13. On the LDAP Filter tab, in the Filter field, enter uid=${USER_KEY} to match the PingDirectory sample data with the authenticating user information.
  
  $Screen capture of the LDAP Filter tab on the Access Token Attribute Mapping window with a Filter field entry of uid=${USER_KEY}$
14. Click Next and Save on the Summary tab.
15. On the Contract Fulfillment tab, fulfill the contract with the LDAP attributes from the PingDirectory data store. Leave the remaining settings as their defaults and click Save.
  
  The scope attribute is fulfilled from the OAuth context.
16. Go to Applications → OAuth → OpenID Connect Policy Management and click Add Policy.
17. In the Manage Policy tab, from the Access Token Manager list, select the access token manager you previously created.
18. Ensure that the Include User Info in ID Token check box is selected. Click Next.
19. On the Attribute Contract tab, extend the policy contract with the email and name attributes. Click Next.
20. On the Attribute Scopes tab, map the previously defined email and profile scopes to the email and name ID token attributes. Click Next.
21. On the Contract Fulfillment tab, fulfill the contract with the values in the access token. Click Next until you reach the Summary tab, and then click Save.
22. Click Set as Default to set the newly created policy as the default policy.
23. Go to Applications → OAuth → Clients and click Add Client.
  
  To provide the Policy Editor with appropriate defaults, configure PingFederate with a Client ID of pingauthorize-pap and select the Authorization Code check box in the Allowed Grant Types section. From the Default Access Token Manager list, select the JWT Manager created earlier, and in the Redirection URIs field, add the correct callback URL for the Policy Editor, such as https://pap.example.com:9443/idp-callback.
  
  Click Save.
24. Go to Authentication → OAuth → IdP Adapter Grant Mapping and create a new Form Adapter Mapping, fulfilling the contracts for USER_NAME and USER_KEY with the username form field. Click Next and Save on the Summary tab.
25. Because this PingFederate instance uses a different domain from the Policy Editor, you must modify the PingFederate CORS settings. Go to System → OAuth Settings → Authorization Server Settings. In the Cross-Origin Resource Sharing Settings section, enter the domain for the Policy Editor in the Allowed Origin field. Click Add and then Save.
Result:PingFederate is configured to handle OpenID Connect requests.