--- title: Configuring SSO for PingCentral description: With PingCentral, single single sign-on (SSO) is disabled by default. component: pingcentral version: 2.2 page_id: pingcentral:pingcentral_for_iam_administrators:pingcentral_conf_sso_pc canonical_url: https://docs.pingidentity.com/pingcentral/2.2/pingcentral_for_iam_administrators/pingcentral_conf_sso_pc.html revdate: August 15, 2023 section_ids: enabling-sso-for-pingcentral: Enabling SSO for PingCentral steps: Steps example: Example: configuring-oidc-for-pingcentral: Configuring OIDC for PingCentral steps-2: Steps example-2: Example: defining-the-oauth-client-for-pingcentral: Defining the OAuth client for PingCentral steps-3: Steps example-3: Example: configuring-pingcentral-role-mapping: Configuring PingCentral role mapping about-this-task: About this task steps-4: Steps result: Result next-steps: Next steps --- # Configuring SSO for PingCentral With PingCentral, single single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* is disabled by default. To configure PingCentral for SSO: 1. Enable SSO. 2. Configure OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* properties to access OIDC configuration information. 3. Define an OAuth client *(tooltip: \
\

The application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources.\

\
)* at the OpenID provider. 4. Configure PingCentral role mapping. After completing these steps, [configure the resource server](pingcentral_conf_resource_server.html). ## Enabling SSO for PingCentral ### Steps 1. Open the `/conf/application.properties` file. 2. Uncomment the following property and set the value to **true**. #### Example: ``` pingcentral.sso.oidc.enabled=true ``` ## Configuring OIDC for PingCentral ### Steps * In the `/conf/application.properties` file, locate the `pingcentral.sso.oidc.issuer-uri` property, uncomment it, and define the Issuer URI. #### Example: In this example, PingCentral attempts to access OIDC *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* configuration information at `https://sso.mycompany.com:9031/.well-known/openid-configuration`. ``` pingcentral.sso.oidc.issuer-uri=https://sso..com:9031 ``` If PingCentral can't access the OIDC configuration information, it fails to start. Make sure the OpenID provider is running and accessible before starting PingCentral. In the future, if changes are made on the OpenID Provider that affect the OIDC configuration information used for SSO *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)*, you must restart PingCentral to incorporate them. ## Defining the OAuth client for PingCentral Define an OAuth client *(tooltip: \
\

The application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources.\

\
)* for PingCentral at the OpenID provider. ### Steps * In the `/conf/application.properties` file, locate the following property, uncomment it, and provide the client ID and client secret for the OAuth client. #### Example: ``` pingcentral.sso.oidc.client-id= pingcentral.sso.oidc.client-secret= ``` | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------- | | | Secure the secret using the obfuscation script available in `bin/obfuscate`, and by using output ciphertext rather than the cleartext secret. | ## Configuring PingCentral role mapping ### About this task In PingCentral, two user roles are defined: the IAM Administrator, and the Application Owner. An initial IAM Administrator is created by default and can add other users to PingCentral and assign them to the appropriate role. When SSO is enabled, the OpenID Provider must indicate the PingCentral role with a claim defined in the ID token or UserInfo endpoint. If this claim isn't found, or its value is nonsensical, the user is denied access to PingCentral, and auto-provisioning doesn't occur. With PingFederate, an attribute can be mapped into the appropriate claim. To configure role mapping: ### Steps * In the `/conf/application.properties` file, locate the following attributes and configure them for mapping into the appropriate claim. ``` # The name of the claim which identifies the PingCentral role associated with the user. #pingcentral.sso.oidc.role-claim-name=PingCentral-Role ``` ``` # The expected value of the role claim which indicates the user is a PingCentral administrator. #pingcentral.sso.oidc.role-claim-value-admin=IAM-Admin ``` ``` # The expected value of the role claim which indicates the user is a PingCentral application owner (non-administrator). #pingcentral.sso.oidc.role-claim-value-app-owner=Application-Owner ``` ### Result If these default values can be used with the OpenID Provider, no further configuration is required. ### Next steps If the defaults can't be used with the OpenID Provider, set the claim name or values to synchronize PingCentral to the OpenID Provider configuration as shown. ``` pingcentral.sso.oidc.role-claim-name=UserRole pingcentral.sso.oidc.role-claim-value-admin=Admin pingcentral.sso.oidc.role-claim-value-app-owner=Developer ```