PingDirectory

Setting up SSO to PingDirectory from a generic OpenID Connect provider

To set up single sign-on (SSO) access to the PingDirectory administrative console from your OpenID Connect (OIDC) provider, configure the OIDC provider and PingDirectory and test the sign-on experience.

Before you begin

Ensure that you have:

  • A PingDirectory server that accepts LDAPS connections

    This server will host the administrative console that is being configured for SSO.

  • An OIDC provider that supports OIDC discovery

About this task

For more information on the configuration properties you are setting up with this task, see Single sign-on with the administrative console.

Steps

  1. Configure your OIDC provider to access the PingDirectory administrative console:

    1. Set the redirect URL to https://<hostname>:<port>/console/oidc/cb where <hostname> and <port> are for the PingDirectory server.

    2. Set the JSON web token (JWT) signing algorithm.

    3. Record the client ID, client secret, and issuer URL for use in step 5.

  2. Create a token validator on the PingDirectory server by running a command similar to the following.

    Example:

    dsconfig create-id-token-validator \
     --validator-name "OpenID Token Validator" \
     --type openid-connect \
     --set enabled:true \
     --set "identity-mapper:All Admin Users" \
     --set evaluation-order-index:1 \
     --set issuer-url:<OIDC_Provider_Issuer_URL>
     --set allowed-signing-algorithm:<JWT_signing_algorithm>

    Provide your own values for <OIDC_Provider_Issuer_URL> and <JWT_signing_algorithm>, where the algorithm is the one you set in the previous step.

    Although not shown in the example, the command must also set the properties in one of the rows in the following table.

    Properties Descriptions

    openid-connect-provider and jwks-endpoint-path

    An OpenID Connect provider, which refers to an HTTP External Server, and a JWKS (JSON web key set) endpoint path

    signing-certificate

    A signing certificate

  3. To create an LDAP user in cn=Root DNs,cn=config that the OIDC provider can send an ID token for, use the following dsconfig command.

    If, in the previous step, you use the All Admin Users identity mapper and the ID token validator’s subject-claim-name is sub (the default), then the sub value of the ID token that the OIDC provider sends must be the cn of an admin user on the PingDirectory server. For example, assume the OIDC provider sends an ID token with the claim sub=admin-user. Then, there must be an LDAP user in cn=Root DNs,cn=config or in cn=Topology Admin Users,cn=topology,cn=config who has cn=admin-user.

    dsconfig create-root-dn-user --user-name admin-user

  4. Create a SASL mechanism handler on the PingDirectory server to use the validator you just created by running a command similar to the following.

    Example:

    dsconfig create-sasl-mechanism-handler \
     --handler-name OAUTHBEARER \
     --type oauth-bearer \
     --set enabled:true \
     --set "id-token-validator:OpenID Token Validator" \
     --set require-both-access-token-and-id-token:false

  5. Run the following command, substituting values for the ID, secret, and issuer URL.

    dsconfig set-web-application-extension-prop \
     --extension-name Console \
     --set sso-enabled:true \
     --set oidc-client-id:<OIDC_Client_ID>  \
     --set oidc-client-secret:<OIDC_Client_Secret>  \
     --set oidc-issuer-url:<OIDC_Provider_Issuer_URL>

  6. To finalize your changes, disable and re-enable the HTTPS Connection Handlers with the following commands.

    dsconfig set-connection-handler-prop \
     --handler-name "HTTPS Connection Handler" \
     --set enabled:false

dsconfig set-connection-handler-prop \
     --handler-name "HTTPS Connection Handler" \
     --set enabled:true

  7. Test the sign on.

    Result:

    The administrative console should open.