--- title: Configuring PingFederate and PingAccess for SSO description: To access PingFederate or PingAccess from PingCentral using single sign-on (SSO), each application must be correctly configured. component: pingcentral version: 2.2 page_id: pingcentral:pingcentral_for_iam_administrators:pingcentral_pf_pa_sso canonical_url: https://docs.pingidentity.com/pingcentral/2.2/pingcentral_for_iam_administrators/pingcentral_pf_pa_sso.html revdate: August 3, 2023 section_ids: configuring-pingfederate-for-sso: Configuring PingFederate for SSO about-this-task: About this task steps: Steps configuring-pingaccess-for-sso: Configuring PingAccess for SSO about-this-task-2: About this task steps-2: Steps --- # Configuring PingFederate and PingAccess for SSO To access PingFederate or PingAccess from PingCentral using single sign-on (SSO), each application must be correctly configured. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can configure PingFederate to use OAuth2 or a native sign-on to connect to PingCentral, but not both. You can configure PingAccess to use either native sign-on, OAuth2, or both. | ## Configuring PingFederate for SSO ### About this task To access PingFederate from PingCentral using SSO: ### Steps 1. Review the PingFederate configurations: 1. In PingFederate, go to **Applications → OAuth → Access Token Management** and ensure that JSON web tokens are configured, as shown in this example. See [Configuring JSON-token management](https://docs.pingidentity.com/csh?Product=pf-latest\&topicname=srl1564002994713.html) in the *PingFederate Server* guide for details. ![In this example, JSON Web Tokens are configured on the Access Token Management page in PingFederate.](_images/dwp1656366873662.jpg) 2. On the **Access Token Attribute Contract** tab, ensure that the access token attribute contract includes the following attributes, as listed here and shown in this example. * `admin_role` * `Username` See [Defining the access token attribute contract](https://docs.pingidentity.com/csh?Product=pf-latest\&context=help_BearerAccessTokenMgmtPluginTasklet_CreateAdapterContractState) in the *PingFederate Server* guide for details. ![In this example, admin role and Username are configured on the Access Token Attribute Contract tab in PingFederate.](_images/ugs1656366986886.jpg) 1. Go to **Applications → OAuth → Access Token Mappings** and ensure that **Client Credentials** are mapped to use**JSON Web Tokens** as the access token manager, as shown in this example. Click **Add Mapping**. ![In this example, Client Credentails is mapped to JSON Web Tokens on the Access Token Mappings page in PingFederate.](_images/gvp1656367019887.jpg) 1. On the **Contract Fulfillment** tab, ensure that the access token attributes in the contract are correctly mapped and the following attributes are included in the contract: * `Username`: The username of the administrator used to access APIs. * `admin_role`: This multi-valued attribute must include the `admin` and `cryptoadmin` roles. In this example, an OGNL expression is used to include these values. ![In this example, admin\_role is an expression mapped to an OGNL expression and Username is mapped to value.](_images/ehl1656367060970.jpg) 1. Configure a new PingFederate client: 2. In PingFederate, go to **Applications → OAuth → Clients**. 3. On the **Manage Client** tab, complete these fields: * **Client ID**: Enter a unique identifier for the client. * **Name**: Enter a name for the client. * **Description**: Enter a description of the client. See [Configuring OAuth clients](https://docs.pingidentity.com/csh?Product=pf-latest\&context=help_OAuthClientManagementTasklet_OAuthClientManagementState) in the *PingFederate Server* guide for details. ![In this example, the Client ID and Name field are completed and the Client Secret option is selected.](_images/eqf1656367100432.jpg) 4. In the **Client Authentication** field, select **Client Secret**. 5. In the **Client Secret** field, you can: | Option | Description | | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | Create or generate a secret. | Choose from:- To create a strong, random alphanumeric string, click **Generate Secret**. - Manually enter a secret. | | Modify an existing secret. | 1. Select the **Change Secret** check box. 2. Click **Generate Secret** to create a strong random alphanumeric string or manually enter a secret. | 6. In the **Grant Types** field, select the **Client Credentials** and **Access Token Validation (Client is a Resource Server)** options. 7. In the **Default Access Token Manager** field, select **JSON Web Tokens** . Click **Save**. 8. Access the PingFederate `/pingfederate/bin/run.properties` file, and ensure that this property is set: `pf.admin.api.authentication=OAuth2`. 9. Access the PingFederate `/pingfederate/bin/oauth2.properties` file, and ensure that the following properties are set. | Property | Description | | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client.id` | The unique client identifier defined in step 2. | | `client.secret` | The client secret defined in step 4. | | `introspection.endpoint` | This URL specifies where PingFederate validates the authentication token.For example, `https://:/as/introspect.oauth2` | | `required.scopes` | Use any of the scopes defined in PingFederate.Go to **System → OAuth Settings → Scope Management** to see a list of available scopes.For details, see [Scopes](https://docs.pingidentity.com/csh?Product=pf-latest\&context=pf_scopes) in the *PingFederate Server* guide. | | `username.attribute.name` | The value mapped to the **Username** attribute defined on the **Contract Fulfillment** tab. | | `role.attribute.name` | The value mapped to the **admin\_role** attribute defined on the **Contract Fulfillment** tab. | 1. Configure PingCentral: 10. In PingCentral, to connect to the new PingFederate client, go to **Environments → Add Environments**. 11. On the **Connect to Instances** page, complete the following fields using the properties you just set in the PingFederate `oauth2.properties` file. ![In this example, the Connect to Instances page in PingCentral is displayed.](_images/zrg1656367226738.jpg) * **PingFederate Admin**: Enter the URL defined in the `pf.admin.baseurl` property for the new client. For details, see [Configuring PingFederate properties](https://docs.pingidentity.com/csh?Product=pf-latest\&context=pf_config_pf_propert) in the *PingFederate Server* guide. * **Authentication Method**: Select **OAuth2**. * **Token Endpoint URL**: Enter the token endpoint URL, which is PingFederate: `https://:/as/token.oauth2`. * **Client ID**: Enter the unique client identifier set as the `client.id` property. * **Client Secret**: Enter the client secret set as the `client.secret` property. * **Scopes**: Enter the scopes set as the `required.scopes` property. 12. Click **Next**. ## Configuring PingAccess for SSO ### About this task To use SSO to access PingAccess from PingCentral: ### Steps 1. Configure a new PingFederate client: 1. In PingFederate, go to **Applications → OAuth → Clients**. 2. On the **Manage Client** tab, complete these fields: * **Client ID**: Enter a unique identifier for the client. * **Name**: Enter a name for the client. * **Description**: Enter a description of the client. See [Configuring OAuth clients](https://docs.pingidentity.com/csh?Product=pf-latest\&context=help_OAuthClientManagementTasklet_OAuthClientManagementState) in the *PingFederate Server* guide for details. ![In this example, the Client ID and Name field are completed and the Client Secret option is selected.](_images/eqf1656367100432.jpg) 1. In the **Client Authentication** field, select **Client Secret**. 2. In the **Client Secret** field, you can: | Option | Description | | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | Create or generate a secret. | Choose from:- To create a strong, random alphanumeric string, click **Generate Secret**. - Manually enter a secret. | | Modify an existing secret. | 1. Select the **Change Secret** check box. 2. Click **Generate Secret** to create a strong random alphanumeric string or manually enter a secret. | 3. In the **Grant Types** field, select the **Client Credentials** and **Access Token Validation (Client is a Resource Server)** options. 4. In the **Default Access Token Manager** field, select **JSON Web Tokens** . Click **Save**. 5. Access the PingFederate `/pingfederate/bin/run.properties` file, and ensure that this property is set: `pf.admin.api.authentication=OAuth2`. 6. Access the PingFederate `/pingfederate/bin/oauth2.properties` file, and ensure that the following properties are set. | Property | Description | | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client.id` | The unique client identifier defined in step 2. | | `client.secret` | The client secret defined in step 4. | | `introspection.endpoint` | This URL specifies where PingFederate validates the authentication token.For example, `https://:/as/introspect.oauth2` | | `required.scopes` | Use any of the scopes defined in PingFederate.Go to **System → OAuth Settings → Scope Management** to see a list of available scopes.For details, see [Scopes](https://docs.pingidentity.com/csh?Product=pf-latest\&context=pf_scopes) in the *PingFederate Server* guide. | | `username.attribute.name` | The value mapped to the **Username** attribute defined on the **Contract Fulfillment** tab. | | `role.attribute.name` | The value mapped to the **admin\_role** attribute defined on the **Contract Fulfillment** tab. | 2. Configure PingAccess: 1. In PingAccess, go to **System → System Settings → Admin Authentication**. 2. On the **Admin API OAuth** tab, select **Enable** and complete these fields as shown in the example: * **Client ID**: Enter the unique client identifier for the new client. * **Client Secret**: Enter the client secret defined for the new client. * **Scope**: Enter the scopes set as required scopes for the new client. * **Subject Attribute Name**: Enter the name of an access token attribute that you want to use as the **Subject** field in audit log entries for the admin API. ![In this example, the Admin API OAuth - Enabled tab is displayed in PingAccess.](_images/apr1656367152907.jpg) 3. Click **Save**. 3. Configure PingCentral: 1. In PingCentral, to connect to the new PingFederate client, go to **Environments → Add Environments**. 2. On the **Connect to Instances** page, scroll down and select **PingAccess**. 3. Complete the following fields using the properties you just set in PingAccess. ![In this example, the Connect to Instances page in PingCentral is displayed.](_images/pdd1656368680536.jpg) * **PingAccess Admin**: Enter the link to access PingAccess. * **Authentication Method**: Select **Native** or**OAuth2**. * **Token Endpoint URL**: Enter the token endpoint URL, which is available here in PingFederate:`https://:/.well-known/openid-configuration`. * **Client ID**: Enter the unique identifier for the new client. * **Client Secret**: Enter the client secret defined for the new client. * **Scopes**: Enter the scopes set as required scopes for the new client. 4. Click **Next**.