Configuring Delegated Admin as a new client (create OAuth client for Delegated Admin)
The following task configures Delegated Admin as a new client and outlines how to create an OAuth client for Delegated Admin.
About this task
To configure Delegated Admin as a new client:
Steps
-
Sign on to the PingFederate administrative console.
-
Go to Applications → OAuth → Clients.
-
Click Add Client.
-
For both the Client ID and Name, specify
dadmin
. -
Set Client Authentication to None.
Do not set a client secret.
-
For Redirect URIS, enter the appropriate URI for your environment based on the following table and then click Add.
For Delegated Admin on a PingDirectory server or a PingDirectoryProxy server
https://<server-host>:<server-port>/delegator/*
For Delegated Admin on a web server hosted locally
http://localhost:<server-port>/*
-
Make the following selections:
-
In the Bypass Authorization Approval section, select Bypass.
-
In the Exclusive Scopes section, select Allow Exclusive Scopes and then select urn:pingidentity:directory-delegated-admin.
-
In the Allowed Grant Types section, select Authorization Code.
-
In the Default Access Token Manager list, select the token manager that you created in step 3 of Configuring the OAuth server.
-
Select the check box for Require Proof Key for Code Exchange (PKCE).
-
In the OpenID Connect section, select the OpenID Connect (OIDC) policy that you created in step 5 of Configuring the OAuth server.
-
-
Click Save.
Next steps
After completing the previous steps, configure the following settings to display the name of the administrator who is signed on to the client application:
-
Add the
profile
scope and ensure it is available to the OAuth client used for the Delegated Admin application. -
Add and fulfill the
name
attribute as part of the contract for both the access token and the ID token supplied to the Delegated Admin application. -
Set the
PROFILE_SCOPE_ENABLED
configuration variable for Delegated Admin in theconfig.js
file totrue
./** * Configuration wrapper object for Delegated Admin */ window.PD_DADMIN_CONFIG = { /** * Set to true if the "profile" scope is supported for the Delegated Admin OIDC client on * PingFederate and you wish to use it to show the current user's name in the navigation. * DEFAULT: false */ PROFILE_SCOPE_ENABLED: true, };