Configuring PingAccess for SSO
About this task
To use SSO to access PingAccess from PingCentral:
Steps
-
Configure a new PingFederate client:
-
In PingFederate, go to Applications → OAuth → Clients.
-
On the Manage Client tab, complete these fields:
-
Client ID: Enter a unique identifier for the client.
-
Name: Enter a name for the client.
-
Description: Enter a description of the client.
-
See Configuring OAuth clients in the PingFederate Server guide for details.
-
In the Client Authentication field, select Client Secret.
-
In the Client Secret field, you can:
Option Description Create or generate a secret.
Choose from:
-
To create a strong, random alphanumeric string, click Generate Secret.
-
Manually enter a secret.
Modify an existing secret.
-
Select the Change Secret check box.
-
Click Generate Secret to create a strong random alphanumeric string or manually enter a secret.
-
-
In the Grant Types field, select the Client Credentials and Access Token Validation (Client is a Resource Server) options.
-
In the Default Access Token Manager field, select JSON Web Tokens . Click Save.
-
Access the PingFederate
<pf_install>/pingfederate/bin/run.properties
file, and ensure that this property is set:pf.admin.api.authentication=OAuth2
. -
Access the PingFederate
<pf_install>/pingfederate/bin/oauth2.properties
file, and ensure that the following properties are set.Property Description client.id
The unique client identifier defined in step 2.
client.secret
The client secret defined in step 4.
introspection.endpoint
This URL specifies where PingFederate validates the authentication token.
For example,
https://<PF_RUNTIME_HOST>:<PF_RUNTIME_PORT>/as/introspect.oauth2
required.scopes
Use any of the scopes defined in PingFederate.
Go to System → OAuth Settings → Scope Management to see a list of available scopes.
For details, see Scopes in the PingFederate Server guide.
username.attribute.name
The value mapped to the Username attribute defined on the Contract Fulfillment tab.
role.attribute.name
The value mapped to the admin_role attribute defined on the Contract Fulfillment tab.
-
-
Configure PingAccess:
-
In PingAccess, go to System → System Settings → Admin Authentication.
-
On the Admin API OAuth tab, select Enable and complete these fields as shown in the example:
-
Client ID: Enter the unique client identifier for the new client.
-
Client Secret: Enter the client secret defined for the new client.
-
Scope: Enter the scopes set as required scopes for the new client.
-
Subject Attribute Name: Enter the name of an access token attribute that you want to use as the Subject field in audit log entries for the admin API.
-
-
Click Save.
-
-
Configure PingCentral:
-
In PingCentral, to connect to the new PingFederate client, go to Environments → Add Environments.
-
On the Connect to Instances page, scroll down and select PingAccess.
-
Complete the following fields using the properties you just set in PingAccess.
-
PingAccess Admin: Enter the link to access PingAccess.
-
Authentication Method: Select Native orOAuth2.
-
Token Endpoint URL: Enter the token endpoint URL, which is available here in PingFederate:
https://<PF_RUNTIME_HOST>:<PF_RUNTIME_PORT>/.well-known/openid-configuration
. -
Client ID: Enter the unique identifier for the new client.
-
Client Secret: Enter the client secret defined for the new client.
-
Scopes: Enter the scopes set as required scopes for the new client.
-
Click Next.
-
-