PingDirectory

Setting up SSO to PingDirectory from PingOne

To set up single sign-on (SSO) access from the administrative console home page to PingDirectory, configure PingOne and test the sign-on experience.

Before you begin

Ensure that you have:

  • A PingDirectory server that accepts LDAPS connections. This server will host the admin console that is being configured for SSO.

  • A PingOne account. For more information, see Getting Started with PingOne.

You can use groups to organize user identities, as explained in Groups. You can also set access to applications, as explained in Application access control.

About this task

During this setup:

  • Step 2 sets up a matching user between PingOne and the PingDirectory environments that allows the server’s All Admin Users identity mapper to map the PingOne ID token to a PingDirectory LDAP user.

  • Steps 3-8 set up the OpenID Connect (OIDC) client as described in Single sign-on with the administrative console.

  • Steps 9-11 configure both the administrative console’s configuration requirements (except for the ldap.server property) and the PingDirectory server’s configuration requirements.

    These configuration properties are outlined in more detail in Single sign-on with the administrative console.

Set up SSO to the PingDirectory administrative console from PingOne using the following steps.

Steps

  1. From the admin console home page, add PingOne and PingDirectory:

    Choose from:

    • To add a new environment for PingOne SSO and PingDirectory:

      1. On the PingOne console home page, click Add Environment.

      2. Select Customer solution, and then click Next.

      3. Click Next.

      4. Enter an Environment Name and Description, then in the labeled lists, select an Environment Type, Region, and License.

      5. Click Finish.

        PingOne SSO, PingOne Risk, PingOne Verify, and PingOne MFA are automatically deployed.

        A screen capture of the admin console Create Environment page showing SSO will be automatically deployed.
      6. On the PingOne console home page, in the Your Environments list, select your new environment, and then click the icon.

      7. Click Add next to PingDirectory.

        Services that have been already added have a green check mark icon next to the service name instead of Add.

      8. Click Finish.

    • To add PingOne SSO and PingDirectory to an existing environment:

      1. On the PingOne console home page, in the Your Environments list, select the environment, and then click the icon.

      2. Click Add next to PingOne SSO and PingDirectory.

        Services that have been already added have a green check mark icon next to the service name instead of Add.

      3. Click Finish.

        1. Click Add Admin UI Link, and in the Enter Admin URL field, enter https://<hostname>:<port>/console/login, replacing the bracketed variables with the PingDirectory server’s hostname and HTTP port.

          You can specify the LDAP server to bind to using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingDirectory servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows.

          https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
        2. Click Save.

  2. To configure the matching administrator accounts for PingOne and the PingDirectory server, go to the PingOne dashboard for the environment that will be used with the PingDirectory server and repeat the following steps for each PingOne user for whom you want to enable SSO:

    1. On the admin console home page, select the appropriate environment and click the PingOne icon.

    2. In PingOne, go to Identities.

    3. Select the administrative user you want to configure and click the Expand icon.

    4. Run the following dsconfig command and replace the bracketed fields with the values of the administrative user.

      ~/<pd_install>/dsconfig create-root-dn-user --user-name  <Username>  \
        --set first-name:<Given Name>  \
        --set last-name:<Family Name>
  3. Register the admin console with PingOne.

    1. Go to Adding an application and follow the instructions to add an OIDC app.

    2. Enter the application properties, as shown in this table.

      Property Value

      Application Name

      PingDirectory Administrative Console

      Description

      Application for the PingDirectory Administrative Console

      Redirect URLs

      https://<hostname>:<port>/console/oidc/cb

      Replace the bracketed values in Redirect URLs with your PingDirectory server’s hostname and HTTP port. To find the port, run the status command from the bin directory.

      Step 0.0.0.0:11443 : HTTPS    : Enabled  : HTTPS Connection Handler

      Attribute Mapping

      'Username' = 'sub'

      No OIDC scopes are required for PingOne to grant access to the PingDirectory console.

  4. Select the newly-created PingDirectory Administrative Console application in the Applications list, and go to the Configuration tab.

  5. To edit the listed configuration properties, click the Pencil icon.

    Edit the configuration properties using the values in this table.

    Property Value

    Response Type

    Select the Code check box.

    Grant Type

    Select the Authorization Code check box.

    Token Endpoint Authentication Method

    Click Client Secret Basic.

    For more information about updating the properties of your new application, see Editing an application - OIDC.

  6. Click Save.

  7. Click the toggle to enable user access to the application.

  8. On the Configuration tab, record the values for these application properties to use in step 10:

    • Issuer

    • Client ID

    • Client Secret

  9. Create a copy of the PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig file, leaving the source file as-is.

  10. Open the copy of the file and replace the bracketed values with the values from step 8.

    # Create an ID token validator suitable for verifying ID tokens generated
    # by the PingOne service. The "All Admin Users" identity mapper will be used
    # to match users that authenticate with PingOne to either root DN users or
    # topology admin users defined in the server configuration.
    dsconfig create-id-token-validator \
    --validator-name "PingOne ID Token Validator" \
    --type ping-one \
    --set enabled:true \
    --set "identity-mapper:All Admin Users" \
    --set evaluation-order-index:1 \
    --set issuer-url:[PING_ONE_APPLICATION_ISSUER_URL]
    
    [...]
    
    # Configure the Administrative Console with your application's client
    # credentials and issuer URI.
    dsconfig set-web-application-extension-prop \
    --extension-name Console \
    --set sso-enabled:true \
    --set oidc-client-id:[PING_ONE_APPLICATION_CLIENT_ID]  \
    --set oidc-client-secret:[PING_ONE_APPLICATION_CLIENT_SECRET]  \
    --set oidc-issuer-url:[PING_ONE_APPLICATION_ISSUER_URL]
  11. Run the file using the following command.

    dsconfig --batch-file \
        enable-pingone-admin-console-sso-copy.dsconfig \
        --no-prompt
  12. Select the link to the PingDirectory server from the PingOne solutions home page.

    Result:

    A PingOne sign-on page opens.

  13. Sign on using the administrative user credentials.

    Result:

    The PingDirectory server administrative console home page opens.