PingDirectory

Configuring Delegated Admin as a new client (create OAuth client for Delegated Admin)

The following task configures Delegated Admin as a new client and outlines how to create an OAuth client for Delegated Admin.

About this task

To configure Delegated Admin as a new client:

Steps

  1. Sign on to the PingFederate administrative console.

  2. Go to Applications → OAuth → Clients.

  3. Click Add Client.

  4. For both the Client ID and Name, specify dadmin.

  5. Set Client Authentication to None.

    Do not set a client secret.

  6. For Redirect URIS, enter the appropriate URI for your environment based on the following table and then click Add.

    For Delegated Admin on a PingDirectory server or a PingDirectoryProxy server

    https://<server-host>:<server-port>/delegator/*

    For Delegated Admin on a web server hosted locally

    http://localhost:<server-port>/*

  7. Make the following selections:

    1. In the Bypass Authorization Approval section, select Bypass.

    2. In the Exclusive Scopes section, select Allow Exclusive Scopes and then select urn:pingidentity:directory-delegated-admin.

    3. In the Allowed Grant Types section, select Authorization Code.

    4. In the Default Access Token Manager list, select the token manager that you created in step 3 of Configuring the OAuth server.

    5. Select the check box for Require Proof Key for Code Exchange (PKCE).

    6. In the OpenID Connect section, select the OpenID Connect (OIDC) policy that you created in step 5 of Configuring the OAuth server.

  8. Click Save.

Next steps

After completing the previous steps, configure the following settings to display the name of the administrator who is signed on to the client application:

  1. Add the profile scope and ensure it is available to the OAuth client used for the Delegated Admin application.

  2. Add and fulfill the name attribute as part of the contract for both the access token and the ID token supplied to the Delegated Admin application.

  3. Set the PROFILE_SCOPE_ENABLED configuration variable for Delegated Admin in the config.js file to true.

    /**
     * Configuration wrapper object for Delegated Admin
     */
    window.PD_DADMIN_CONFIG = {
      /**
       * Set to true if the "profile" scope is supported for the Delegated Admin OIDC client on
       * PingFederate and you wish to use it to show the current user's name in the navigation.
       * DEFAULT: false
       */
      PROFILE_SCOPE_ENABLED: true,
    };