PingCentral

Configuring the OIDC policy for PingCentral

About this task

The OAuth client will be associated with an OpenID Connect (OIDC) Policy, which could be the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.

In addition to the sub claim, the important claim is the PingCentral-Role claim. Optionally, you can also include the given_name and family_name claims with the profile scope.

You can fulfill the sub claim from the access token, and you need to fulfill the PingCentral-Role claim using an OGNL expression based on group memberships in your directory. The following is an example of an OGNL expression used in Contract Fulfillment to map roles.

// Reads the memberOf attribute values from the access token.
#pcrole = #this.get("memberOf"),
// If the values in memberOf contain the IAM administrator's group name, send 'IAM-ADMIN' in the claim value.
#pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-iamadmins")? "IAM-Admin":
// If the values in memberOf contain the application owner's group name, send 'Application-Owner' in the claim value or send 'NoAccess'.
#pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-appowners")? "Application-Owner" :"NoAccess"

memberOf must be in your access token contract or retrieved through a lookup for the expression to work.

If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the <PingCentral_install>/conf/application.properties file.