PingCentral

Managing environments

All environments managed within PingCentral, as well as connected PingFederate and PingAccess environments, display on the Environments page, where you can view and update information about each environment and delete them from PingCentral when they are no longer needed.

Items worth mentioning:

  • If you add PingAccess environments to PingCentral, ensure that PingFederate is configured as the PingAccess token provider. See Configuring PingFederate as a PingAccess token provider for details.

  • To enforce random secret generation and restrict non-administrators from creating their own, select the Generate Client Secret on Promotion check box when managing your environments. PingCentral will generate random client secrets.

  • If your application owners promote Security Assertion Markup Language (SAML) applications to PingFederate or PingAccess environments, ensure that the appropriate trusted certificate authority (CA) certificates are available in PingCentral. See Adding trusted CA certificates to PingCentral for details.

  • Starting with version 1.14, PingCentral performs regular health checks on its environments. These checks involve calling either the heartbeat endpoint or the admin API version endpoint, depending on the version of PingFederate being used. To configure this process, modify the orchestrator.heartbeat.polling-interval-ms and orchestrator.heartbeat.offset-ms parameters in the conf/application.properties file. These settings determine both the frequency of polling and the initial delay before the health check begins.

  • Starting with PingCentral 1.8, trusted CA certificates are stored in the PingCentral database instead of an external trust store. Certificates that exist in this trust store in previous versions are imported to the PingCentral database during the upgrade process.

Adding environments

Use the wizard to add PingFederate and PingAccess environments to PingCentral.

Before you begin

Ensure that PingFederate is configured as a token provider for PingAccess.

For more information, see Configuring PingFederate as a PingAccess token provider.

Steps

  1. On the Environments page, click Add Environment.

  2. On the Connect to Instances page, connect to a PingFederate or PingAccess environment:

    Choose from:

    • Native: Complete the Username and Password fields for your PingFederate or PingAccess environments.

    • OAuth2: Complete the Token Endpoint URL, Client ID, Client Secret, and Scopes fields.

    • Client Certificate: Select the certificate you want to use for mTLS. See Configuring Mutual TLS for details on uploading these certificates.

      If an environment is disabled or offline, you will be unable to add the environment to PingCentral.

      If this is the first time that you have set up this environment, and the initial validation fails, you see a Skip Verification option. If you select this option, it allows you to skip the validation process. However, if you set it up correctly, you won’t see this option.

    If the environment is disabled or offline, and you edit the connection configuration, the Skip Verification check box is automatically marked.

  3. Click Next.

  4. On the Name Environment page, complete the Name, Short Code, and Description fields.

  5. Optional: To configure whether non-administrators need approval for promoting an application to an environment, select an option from the Approval Type list:

    Choose from:

    • Select No Approval to allow non-administrators to promote applications to the environment freely.

    • Select Approval Required to indicate that application promotion requires approval.

    • Select Require Approval If Any Expression Fails and proceed to the next step to configure an Approval Expression.

    • Select Require Approval If Any Expression Succeeds and proceed to the next step to configure an Approval Expression.

  6. Optional: If you selected Require Approval If Any Expression Fails or Require Approval If Any Expression Succeeds, you must configure a Spring Expression Language (SpEL) expression in the Approval Expression field.

    You can use SpEL expressions to determine whether an application requires approval or not. For more information, see Creating and testing approval expressions at the bottom of this page for details.

    For more information on SpEL, see Spring Expression Language (SpEL) in the Spring Framework documentation.

  7. Optional: If you want application owners to be able to edit the underlying application JSON when they promote their OAuth and SAML applications, select Allow JSON editing for application promotions.

    Providing application owners with this ability can be risky, so it’s highly recommended that you require promotion requests to be approved. That way, you’ll be able to compare the submitted application JSON to the original application JSON before you approve the promotion.

  8. Optional: To enforce random secret generation and restrict non-administrators from creating their own, select the Enforce Random Client Secrets check box.

    PingCentral will generate random client secrets.

  9. Optional: Select the Allow only administrators to delete applications from PingFederate (and PingAccess, when applicable), option to restrict application owners from deleting applications from environments.

  10. Optional: To add an identity provider (IdP) certificate, select the appropriate certificate in the Signing Certificate list or to upload your own certificate, click Choose and enter the certificate password in the appropriate field. Click Save and Close.

    Result:

    The environment is displayed on the Environments page. If you chose to protect the environment, you see a shield icon next to its name. Depending on the type of environment, you also see a PF or PA icon. The color of this icon represents the status of the environment. A green icon indicates that the environment is verified while a red icon indicates that the environment isn’t verified.

    Depending on if an environment is online, offline, or disabled, you see the environment status in a display bar. You also see the toggle switch that you can click to disable the environment and indicate that it is undergoing maintenance.

  11. Click Save and Continue.

  12. Click the expandable icon associated with the environment to view environment details.

    A screen capture showing the Environments page, which lists all of the environments and displays details regarding each environment when the associated expandable icon is clicked.

    Environment details include:

    • A link to PingFederate.

    • A link to PingAccess.

    • A description of the environment.

    • The total number of applications hosted on this environment and a breakdown of or clients, connections, and applications. Click these links to access filtered lists of these applications on the Applications page.

      If an environment is unavailable, applications in that environment don’t display on the Applications page.

Updating environments

Update PingFederate and PingAccess environment information at any time.

Steps

  1. To manage the environment maintenance status, see the following choices:

    Choose from:

    • To indicate that an environment is down for maintenance, toggle the switch on the applicable environment status bar from left (green) to right (gray). This action signals to application owners that the environment is undergoing maintenance and is now Disabled. This prevents PingCentral from connecting to the environment, avoiding UI errors.

    • To revert maintenance status, toggle the switch on the applicable environment status bar from right (gray) to left (green). This action removes the maintenance Disabled status, allowing application owners to resume interactions with the environment. This is the default status.

      If an environment is offline or Disabled, the environment information displays a gray OFFLINE status bar. If an environment status is unknown, the status bar is unavailable.

  2. To edit environment information, click the expandable icon associated with it, and then click the Pencil icon.

    All of the editable information displays on one page.

    Option Description

    Update the name and description

    To update the name and description, change the information in the Name, Short Code, and Description fields.

    Update the assertion encryption certificate

    To update the assertion encryption certificate, click Choose to upload a new certificate and enter the certificate password in the appropriate field.

    Update connection information

    To update the connection, ensure that the authentication method you want to use is selected:

    • Native: Update the Username and Password fields for your PingFederate or PingAccess environments.

    • OAuth2: Update the information in the Token Endpoint URL, Client ID, Client Secret, and Scopes fields.

    • Client Certificate: Update the certificate used for mTLS.

      If a PingAccess environment is added to PingCentral and removed through the edit page, the connection information is saved and restored if the PingAccess environment is selected again.

    Configure promotion approval requirements

    To configure if non-administrators need approval for promoting an application to an environment, select an option from the Approval Type.

    Choose from:

    • Select No Approval to allow non-administrators to promote applications to the environment freely.

    • Select Approval Required to indicate that application promotion requires approval.

    • Select Require Approval If Any Expression Fails and see Creating and testing approval expressions at the bottom of this page for details.

    • Select Require Approval If Any Expression Succeeds and go to Creating and testing approval expressions on this page.

    Update the JSON editing option

    If you want application owners to be able to edit the underlying application JSON when they promote their OAuth and SAML applications, select Allow JSON editing for application promotions.

    Providing application owners with this ability can be risky, so it’s highly recommended that you require promotion requests to be approved. That way, you’ll be able to compare the submitted application JSON to the original application JSON before you approve the promotion.

    Add or remove the enforcement of random client secret generation

    To enforce random secret generation and restrict non-administrators from creating their own, select the Enforce Random Client Secrets check box. PingCentral will generate random client secrets. To allow non-administrators to generate their own secret, clear the check box.

    Configure application owner deletion access

    To restrict application owners from deleting applications from environments, select the Allow only administrators to delete applications from PingFederate (and PingAccess, when applicable), option.

    Update the signing certificate

    To update the signing certificate used to promote SAML applications, select the appropriate certificate in the Signing Certificate list or upload your own.

    Update the SP certificate

    To update the service provider (SP) certificate, click Choose to upload a new certificate and enter the certificate password in the appropriate field.

    Update the assertion encryption certificate

    To update the assertion encryption certificate, click Choose to upload a new certificate and enter the certificate password in the appropriate field.

  3. Click Save.

Deleting environments

Delete environments from PingCentral when they are no longer needed.

Steps

  1. Click the expandable icon associated with the environment to view environment details.

  2. To delete the environment from PingCentral, click its associated Delete icon.

    Result:

    A message displays asking you if you want to delete the environment.

  3. Click Delete.

    Result:

    A message displays saying that the environment was deleted.

    When an environment is deleted, applications that were promoted to that environment retain the promotion details from the deleted environment.