Setting up SSO to PingDirectory from a generic OpenID Connect provider
To set up single sign-on (SSO) access to the PingDirectory administrative console from your OpenID Connect (OIDC) provider, configure the OIDC provider and PingDirectory and test the sign-on experience.
Before you begin
Ensure that you have:
-
A PingDirectory server that accepts LDAPS connections
This server will host the administrative console that is being configured for SSO.
-
An OIDC provider that supports OIDC discovery
About this task
For more information on the configuration properties you are setting up with this task, see Single sign-on with the administrative console.
Steps
-
Configure your OIDC provider to access the PingDirectory administrative console:
-
Set the redirect URL to
https://<hostname>:<port>/console/oidc/cb
where<hostname>
and<port>
are for the PingDirectory server. -
Set the JSON web token (JWT) signing algorithm.
-
Record the client ID, client secret, and issuer URL for use in step 5.
-
-
Create a token validator on the PingDirectory server by running a command similar to the following.
Example:
dsconfig create-id-token-validator \ --validator-name "OpenID Token Validator" \ --type openid-connect \ --set enabled:true \ --set "identity-mapper:All Admin Users" \ --set evaluation-order-index:1 \ --set issuer-url:<OIDC_Provider_Issuer_URL> --set allowed-signing-algorithm:<JWT_signing_algorithm>
Provide your own values for
<OIDC_Provider_Issuer_URL>
and<JWT_signing_algorithm>
, where the algorithm is the one you set in the previous step.Although not shown in the example, the command must also set the properties in one of the rows in the following table.
Properties Descriptions openid-connect-provider
andjwks-endpoint-path
An OpenID Connect provider, which refers to an HTTP External Server, and a JWKS (JSON web key set) endpoint path
signing-certificate
A signing certificate
-
To create an LDAP user in
cn=Root DNs,cn=config
that the OIDC provider can send an ID token for, use the followingdsconfig
command.If, in the previous step, you use the
All Admin Users
identity mapper and the ID token validator’ssubject-claim-name
issub
(the default), then thesub
value of the ID token that the OIDC provider sends must be thecn
of an admin user on the PingDirectory server. For example, assume the OIDC provider sends an ID token with the claimsub=admin-user
. Then, there must be an LDAP user incn=Root DNs,cn=config
or incn=Topology Admin Users,cn=topology,cn=config
who hascn=admin-user
.dsconfig create-root-dn-user --user-name admin-user
-
Create a SASL mechanism handler on the PingDirectory server to use the validator you just created by running a command similar to the following.
Example:
dsconfig create-sasl-mechanism-handler \ --handler-name OAUTHBEARER \ --type oauth-bearer \ --set enabled:true \ --set "id-token-validator:OpenID Token Validator" \ --set require-both-access-token-and-id-token:false
-
Run the following command, substituting values for the ID, secret, and issuer URL.
dsconfig set-web-application-extension-prop \ --extension-name Console \ --set sso-enabled:true \ --set oidc-client-id:<OIDC_Client_ID> \ --set oidc-client-secret:<OIDC_Client_Secret> \ --set oidc-issuer-url:<OIDC_Provider_Issuer_URL>
-
To finalize your changes, disable and re-enable the HTTPS Connection Handlers with the following commands.
dsconfig set-connection-handler-prop \ --handler-name "HTTPS Connection Handler" \ --set enabled:false dsconfig set-connection-handler-prop \ --handler-name "HTTPS Connection Handler" \ --set enabled:true
-
Test the sign on.
Result:
The administrative console should open.