PingAuthorize

Configure PingOne to use SSO for the administrative console

The steps below explain how to configure PingOne so that you can use SSO in PingOne to access the PingAuthorize administration console.

Before you begin

You should have already set up the PingAuthorize server that will be administered. This server will host the PingAuthorize administration console that is being configured for SSO.

You can use groups to organize user identities as explained in Groups. Also, you can set access to applications as explained in Application access control.

Steps

  1. In the PingOne administration console, add a PingAuthorize Server service to one of the existing environments. Alternatively, add a custom environment solely for a PingAuthorize Server service.

    1. When prompted, select the It’s already been deployed option.

    2. Provide https://<hostname>:<port>/console/login as the value for the Admin URL, filling in the bracketed values with the PingAuthorize server’s hostname and HTTP port.

      By binding to the LDAP server, you can use a single console instance to administer multiple PingAuthorize servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO.

      You can specify the LDAP server to bind to using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. Using these parameters, you can specify the URL as follows:

      https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
  2. Configure the matching administrator accounts for PingOne and the PingAuthorize server. Go to the PingOne dashboard for the environment that will be used with the PingAuthorize server. Repeat the following steps for each PingOne user for which you wish to enable SSO.

    1. Locate the desired user under the Identities tab. For the example purposes, we will assume the desired PingOne user has the following properties:

      • Given name: Jane

      • Family name: Smith

      • Username: jsmith

    2. Run the following dsconfig command against the PingAuthorize server, filling in the bracketed field with the previously located PingOne user’s Username value.

      dsconfig create-root-dn-user --user-name jsmith \
        --set first-name:Jane \
        --set last-name:Smith
  3. Register the administrative console with PingOne. Follow the instructions for Adding an application and select OIDC Web App for Application Type. Configure the application properties as shown in the following list:

    • Application name: PingAuthorize administrative console

    • Description: Application for the PingAuthorize administrative console

    • Redirect URLs: https://<hostname>:<port>/console/oidc/cb

    • Attribute mapping: Username= sub

      Fill in the bracketed values in redirect URLs with the PingAuthorize server’s hostname and HTTP port, similar to Step 2.

  4. Edit the listed properties for the newly created application so that the properties have the values show in the following list, following the instructions in .pingidentity.com/bundle/pingone/page/jez1625773795534.html//[Editing an application - OIDC] in the PingOne Administration Guide.

    • Response type: Code

    • Grant type: Authorization code

    • Token endpoint authentication method: Client secret basic

  5. Note the values for the following application properties to use in later steps:

    • Issuer

    • Client ID

    • Client Secret

  6. Locate the enable-pingone-admin-console-sso.dsconfig file in the PingAuthorize/config/sample-dsconfig-batch-files/ directory. Make a copy of it, and edit the copy rather than the source file.

  7. Replace all the bracketed values in the batch file with the corresponding values from step 5. Then run the file using the following command.

    dsconfig --batch-file \
        enable-pingone-admin-console-sso-copy.dsconfig \
        --no-prompt
  8. Click the link to the PingAuthorize server from the PingOne solutions home page. A PingOne login page should appear. After you provide credentials, you should see the administrative console index page.