Example: Set up the PingAuthorize Policy Editor in OIDC mode (custom scope)
This example sets up the PingAuthorize Policy Editor for sign-ons using OIDC with one or more custom scopes.
In OIDC mode, the Policy Editor UI requests an access token with the following default scopes: openid email profile
. You can change the default requested scopes persistently, during server setup, or on a one-time basis, at server startup.
Add OIDC scopes during setup
To add requested OIDC scopes persistently, use the --scope
option to provide a space-separated list of scopes to the setup
command.
$ bin/setup oidc \
--oidcBaseUrl https://auth.example.com/02fa3993-a851-4eb5-96c7-f0c561be23c6/auth/ \
–-clientId 21a74125-85db-4fca-8a56-e5d45d4d8163 \
--scope "openid email profile <additional_scope>" \
--generateSelfSignedCertificate \
--hostname <pap-hostname> \
--port <pap-port> \
--adminPort <admin-port> \
--licenseKeyFile <path-to-license>
The Policy Editor uses the provided OIDC base URL to query the OIDC provider’s autodiscovery endpoint for the information it needs to make OIDC requests. The provided client ID represents the Policy Editor and must be configured in the OIDC provider as well.
The Policy Editor can skip host name verification and accept self-signed SSL certificates from the OIDC provider. The following example uses the PING_OIDC_TLS_VALIDATION
environment variable to set up the Policy Editor to handle sign-ons for a provider using a self-signed certificate:
$ env PING_OIDC_TLS_VALIDATION=NONE bin/setup oidc \
--oidcBaseUrl https://auth.example.com/02fa3993-a851-4eb5-96c7-f0c561be23c6/auth/ \
–-clientId 21a74125-85db-4fca-8a56-e5d45d4d8163 \
--scope "openid email profile <additional_scope>" \
--generateSelfSignedCertificate \
--hostname <pap-hostname> \
--port <pap-port> \
--adminPort <admin-port> \
--licenseKeyFile <path-to-license>
Add OIDC scopes at startup
To override persistently requested OIDC scopes for a single runtime instance of the Policy Editor, use the PING_SCOPE
environment variable to provide a space-separated list of scopes to the start-server
command:
$ env PING_SCOPE="openid email profile <different_scope>" bin/start-server
For more information about configuring an OIDC provider, see Configuring an OIDC provider for single sign-on requests from PingAuthorize.