PingAuthorize

Configuring an OIDC provider for single sign-on requests from PingAuthorize

When you install the PingAuthorize software with authentication, configure an OIDC provider to accept requests from PingAuthorize.

About this task

If you chose OIDC mode when you set up the PingAuthorize Policy Editor, you must configure an OIDC provider, such as PingFederate or PingOne, to accept sign-on requests from the PingAuthorize Policy Editor. Refer to the following tabs for the configuration steps for PingOne and PingFederate.

If you’re using another OIDC provider, refer to the provider’s documentation for specific client configuration steps. The following steps show the general procedure:

Steps

  1. Use the following configuration values to create an OAuth 2 client that represents the PingAuthorize Policy Editor:

    OAuth 2 client configuration Configuration value

    Client ID

    pingauthorizepolicyeditor

    Redirect URI

    https://<host>:<port>/idp-callback

    Grant type

    Authorization Code with PKCE

    Response type

    code

    Scopes

    Refresh tokens

    Enable

    Client authentication on the token endpoint

    Disable

    The Policy Editor doesn’t have access to the client secret and doesn’t send to the token .

    Return ID token on refresh grant

    true

    Always re-roll refresh tokens

    true

    When an authentication token expires, the Policy Editor performs a silent renewal, triggering a background process to retrieve a new token from the OIDC provider. For this process to work, you must configure your OIDC provider to issue as follows:

    • Issue an id_token as part of the refresh grant.

    • Re-roll the refresh token after each use. The Policy Editor won’t use refresh tokens more than once.

    Because these constraints apply to silent renewal, a misconfiguration of the previous items will still allow you to sign on. After your token expires, though, the application will eject you from your session and redirect you to the sign-on screen. This could cause you to lose unsaved changes in the Policy Editor.

  2. Configure the access tokens and ID tokens issued for the OAuth 2 client with the following claims:

    • sub

    • name

    • email

  3. Configure the OIDC provider to accept a cross-origin resource sharing (CORS) origin that matches the PingAuthorize Policy Editor’s scheme, public host, and port, such as https://<host>:<port>.

  4. Configure the OIDC provider to issue tokens to the PingAuthorize Policy Editor only when the authenticated user is authorized to administer policies according to your organization’s access rules.

    Sign the tokens with a signing algorithm of RSA using SHA-256.

    For PingFederate, this level of authorization is controlled with issuance criteria. Learn more in the PingFederate documentation.

Configuring PingOne as an OIDC provider for PingAuthorize

To improve security and ensure a consistent authentication experience across all enterprise applications, enable single sign-on (SSO) for the PingAuthorize Policy Editor using PingOne as an OIDC provider.

Components

  • PingOne

  • PingAuthorize 9.0 or later

Instructions and screenshots might differ slightly from other product versions. For the latest documentation, see PingOne documentation.

Before you begin

  • Confirm that PingOne is accessible from the subnet on which the Policy Editor is running.

  • Extract the Policy Editor distribution to your specified install location, with appropriate permissions set for write access, for example /opt/PingAuthorize-PAP.

Configuring PingOne for PingAuthorize policy administration

About this task

The following configuration allows PingOne to authorize external access to the PingAuthorize Policy Editor.

Steps

  1. Sign on to PingOne and click your environment.

    Choose from:
    • If you have an account, go to the URL for your environment. Each environment has a unique URL for signing on that follows the format https://console.pingone.com/?env=<environmentID>.

    • If you don’t already have an account, create one at Try Ping.

  2. To create an application in PingOne to represent the PingAuthorize Policy Editor, go to Connections > Applications and click the icon.

  3. Enter a name for the application, such as PingAuthorize Policy Editor.

  4. (Optional) Enter a description and add an icon.

  5. Click OIDC Web App, and then click Save.

  6. On the Configuration tab, click the Pencil icon to edit the settings.

  7. From the PKCE Enforcement list in the Grant Type section, select S256_REQUIRED.

  8. In the Redirect URIs field, enter a redirect URL that follows the format https://<pap.hostname:port>/idp-callback.

  9. In the Token Endpoint Authentication Method section, click None.

  10. Click Save.

  11. On the Resources tab, click the Pencil icon to edit the settings.

  12. In the Scopes list, click the icon to add the email and profile scopes to the Allowed Scopes list.

  13. Click Save.

  14. To enable the application, click the toggle.

    Screen capture of the toggle to enable the PingAuthorize Policy Editor application
  15. Copy the following IDs:

    • Client ID: To find the Client ID, go to the application’s Profile tab.

    • Environment ID: To find the Environment ID, click Environment in the left navigation pane.

      You’ll need them when you configure the Policy Editor to use PingOne.

Configuring PingAuthorize policy administration to use PingOne

About this task

The following configuration enables the PingAuthorize Policy Editor to use PingOne for authentication.

Steps

  1. Run the <PingAuthorize-PAP>/bin/stop-server command to stop the Policy Editor.

  2. Using the client ID and environment ID from paz_config_p1az_paz.adoc, run the following command to configure the GUI:

    bin/setup oidc \
    --licenseKeyFile </path/to/{pingauthorize}.lic> \
    --generateSelfSignedCertificate \
    --hostname  <pap-hostname>  --port  <pap-port>  \
    --adminPort  <admin-port>  \
    --oidcBaseUrl https://auth.pingone.<regional-domain>/<environment-id>/as \
    --clientId  <client-id>
  3. Run the bin/start-server command to start the PingAuthorize Policy Editor.

  4. Verify that you can sign on to the Policy Editor using the application you created in PingOne:

    1. Go to the Policy Editor.

    2. Click Click to Sign in.

      Result:

      Your browser redirects to the URL you set in paz_config_p1az_paz.adoc.

      By default, the logged-in username uses the sub claim for the user ID. For information on using a non-default claim, see Changing the default JWT claim for the OIDC user ID.