PingAuthorize

Configuring PingFederate for PingAuthorize

Configure PingFederate to authorize external access through tokens to the PingAuthorize Policy Editor.

About this task

You can also use PingAccess to authorize external access through rules. See Rule Creation in PingAccess for information.

The following example configuration assumes that any authenticated user can access the PingAuthorize Policy Editor. To limit access to members of a specific group, see paz_config_pf_group_access_paz.adoc.

Steps

  1. In the PingFederate administration console, go to System → Data & Credential Stores → Data Stores.

  2. Click Add New Data Store.

  3. On the Data Store Type tab, in the Name field, enter a name for the data store.

  4. From the Type list, select Directory (LDAP), and then click Next.

  5. On the LDAP Configuration tab, enter the address and authentication information for PingFederate to use when accessing PingDirectory, and then click Next.

  6. On the Summary tab, review your configuration and click Save.

    Screen capture of the Summary tab in the Data Stores window, displaying the specified data store configuration
  7. Go to Authentication → Policies → Sessions and enable authentication sessions. The following example enables authentication sessions for all sources. Make the appropriate change for your environment, and then click Save.

    Screen capture of the Sessions window with the Track Revoked Sessions on Logout and Enable Authentication Sessions For All Sources check boxes selected
  8. Go to Security → Certificate & Key Management → SSL Client Keys & Certificates and import your JWT signing certificate. Click Save.

    PingFederate expects the certificate chain and keys to be encoded in PKCS12 format.

  9. Configure your OAuth server using the OpenID Connect protocol.

    1. Go to System → OAuth Settings → Scope Management and create scopes.

    2. In the Scope Value field, enter the email, openid, and profile scopes, clicking Add after each entry. Click Save.

      Screen capture of the Common Scopes tab on the Scope Management window, displaying the values of email, openid, and profile added to the Scope Value list
    3. Go to Applications → OAuth → Access Token Management and click Create New Instance.

    4. On the Type tab, from the Type list, select JSON Web Tokens. From the Parent Instance list, select None. Click Next.

    5. On the Instance Configuration tab, click Add a new row to 'Certificates' and add the previously imported signing certificate. Select the desired signing algorithm and token timeout, and then click Next.

    6. On the Session Validation tab, enable the session validation options.

      Screen capture of the Session Validation tab on the Access Token Management window showing all check boxes selected
    7. On the Access Token Attribute Contract tab, add the attributes to be included in the OAuth access token. This example extends the contract with cn, email, scope, sub, and uid attributes.

      Screen capture of the Access Token Attribute Contract tab on the Access Token Management window, displaying the values of cn, email, scope, sub, and uid added to the Extend the Contract list
    8. Click Next until you reach the Summary tab, and then click Save. Accept the default values for the Resources URIs and Access Control settings.

    9. Go to Applications → OAuth → Access Token Mappings to create an Access Token Mapping in the Default context for the Access Token Manager you just created. Click Add Mapping, and then click Add Attribute Source.

    10. From the Active Data Store list, select the PingDirectory data store that you created in step 2. Click Next.

      Screen capture of the Data Store tab on the Access Token Mappings window, displaying the PingDirectory Data Store selected in the Active Data Store list
    11. On the LDAP Directory Search tab, in the Base DN field, enter the base DN for the PingDirectory data that provides your identities.

    12. In the Attributes to return from search section, click Add Attribute and enter the attributes to be retrieved.

      The sample data uses ou=People,dc=example,dc=com and the configuration shown in the following image retrieves the cn, mail, and uid attributes.

      Screen capture of the LDAP Directory Search tab on the Access Token Attribute Mapping window, with the Base DN set to ou=People,dc=example,dc=com and the attributes cn, mail, and uid added to the Attribute list
    13. On the LDAP Filter tab, in the Filter field, enter uid=${USER_KEY} to match the PingDirectory sample data with the authenticating user information.

      Screen capture of the LDAP Filter tab on the Access Token Attribute Mapping window with a Filter field entry of uid=${USER_KEY}
    14. Click Next and Save on the Summary tab.

    15. On the Contract Fulfillment tab, fulfill the contract with the LDAP attributes from the PingDirectory data store. Leave the remaining settings as their defaults and click Save.

      The scope attribute is fulfilled from the OAuth context.

      Screen capture of the Contract Fulfillment tab on the Access Token Attribute Mapping window, with the cn, email, sub, and uid contracts configured for a Source of LDAP (PingDirectory) and Values of cn, mail, uid, and uid, respectively. The scope contract has a source of Context and a Value of Scope.
    16. Go to Applications → OAuth → OpenID Connect Policy Management and click Add Policy.

    17. In the Manage Policy tab, from the Access Token Manager list, select the access token manager you previously created.

    18. Ensure that the Include User Info in ID Token check box is selected. Click Next.

    19. On the Attribute Contract tab, extend the policy contract with the email and name attributes. Click Next.

    20. On the Attribute Scopes tab, map the previously defined email and profile scopes to the email and name ID token attributes. Click Next.

      Screen capture of the Attribute Scopes tab on the Policy Management window, with the email attribute mapped to the email scope, and the name attribute mapped to the profile scope
    21. On the Contract Fulfillment tab, fulfill the contract with the values in the access token. Click Next until you reach the Summary tab, and then click Save.

      Screen capture of the Contract Fulfillment tab on the OpenID Connect Policy Management window, with the Attribute Contracts of email, name, and sub set to a Source of Access Token and Value selections of email, cn, and sub, respectively.
    22. Click Set as Default to set the newly created policy as the default policy.

    23. Go to Applications → OAuth → Clients and click Add Client.

      To provide the Policy Editor with appropriate defaults, configure PingFederate with a Client ID of pingauthorize-pap and select the Authorization Code check box in the Allowed Grant Types section. From the Default Access Token Manager list, select the JWT Manager created earlier, and in the Redirection URIs field, add the correct callback URL for the Policy Editor, such as https://pap.example.com:9443/idp-callback.

      Click Save.

    24. Go to Authentication → OAuth → IdP Adapter Grant Mapping and create a new Form Adapter Mapping, fulfilling the contracts for USER_NAME and USER_KEY with the username form field. Click Next and Save on the Summary tab.

      Screen capture of the Contract Fulfillment tab on the IdP Adapter Grant Mapping window, with the USER_KEY and USER_NAME contracts set to a Source of Adapter and a Value of username
    25. Because this PingFederate instance uses a different domain from the Policy Editor, you must modify the PingFederate CORS settings. Go to System → OAuth Settings → Authorization Server Settings. In the Cross-Origin Resource Sharing Settings section, enter the domain for the Policy Editor in the Allowed Origin field. Click Add and then Save.

      Screen capture of the Cross-Origin Resource Sharing Settings section showing a URL of https://pap.example.com:8080 added to the Allowed Origin field

      Result:

      PingFederate is configured to handle OpenID Connect requests.

Next steps