PingAuthorize

Configuring PingFederate group access for PingAuthorize

Configure PingFederate so that only members of a specific LDAP group are authorized to access the application.

About this task

Configuring PingFederate for PingAuthorize and Configuring PingAuthorize Policy Editor to use PingFederate explain how to configure the PingAuthorize Policy Editor and PingFederate so that any authenticated user can access the PingAuthorize Policy Editor. This task describes how to configure PingFederate to limit access to a specific LDAP group.

Steps

  1. Create an LDAP group in PingDirectory and add the desired user (user.20) to the group.

    1. Create a file named create-policy-writer-group.ldif and add the following.

      dn: ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: groups
      
      dn: cn=PolicyWriter,ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: groupOfUniqueNames
      cn: PolicyWriter
      ou: groups
      uniquemember: uid=user.20,ou=People,dc=example,dc=com
    2. Use the PingDirectory ldapmodify tool to load the newly created ldif file.

      /opt/PingDirectory/bin/ldapmodify -a -f create-policy-writer-group.ldif
  2. Add the group membership claim requirement in PingFederate.

    1. In the PingFederate console, go to Applications → OAuth → Access Token Mappings.

    2. Select the PingDirectory mapping from the list, and then on the Attribute Sources & User Lookup tab, select the PingDirectory source.

    3. Click the LDAP Directory Search tab, and in the Root Object Class list, select Show All Attributes.

    4. Add the isMemberOf attribute, and then click Done to return to Access Token Attribute Mapping.

      Screen capture of the LDAP Directory Search tab on the Access Token Attribute Mapping window with isMemberOf added as specified and the Save button in the lower right
    5. Go to the Issuance Criteria tab and add a new row with the following values:

      Column Value

      Source

      LDAP (pingdir)

      Attribute Name

      isMemberOf

      Condition

      multi-value contains (case sensitive)

      Value

      cn=PolicyWriter,ou=groups,dc=example,dc=com

      Screen capture of the Issuance Criteria tab on the Access Token Attribute Mapping window with the previously described attributes added
    6. Click Save.

      Result:

      Only user.20 can access the PingAuthorize Policy Editor.

  3. Verify that only specified users can access the PingAuthorize Policy Editor.

    Clear any active SSO sessions before you sign on as each user.

    1. Sign on as user.0.

      Result:

      Access is denied.

    2. Sign on as user.20.

      Result:

      Access is granted.