PingFederate Server

Enabling certificate-based authentication

You can enable certificate-based authentication in the PingFederate administrative console.

Before you begin

  • Have a PingFederate username and password.

  • Import the necessary client key and certificate into the web browser you use to access PingFederate.

About this task

To enable client-certificate authentication, PingFederate administrative users must import an X.509 key and a suitable certificate for user authentication into their web browsers. In addition, the corresponding root certificate authority (CA) certificates must be contained in the Java runtime or the PingFederate trusted store. Other setup steps, including designating user permissions, must be completed by using configuration files located in the <pf_install>/pingfederate/bin directory.

The roles configured in the properties file apply to both the administrative console and the administrative API.

Steps

  1. Sign on to the PingFederate console as a user with permissions that include the Crypto Admin role.

  2. Ensure the client-certificate’s root CA and any intermediate CA certificates are contained in the trusted store, either for the Java runtime or PingFederate.

    You can import a certificate to PingFederate in Security → Certificate & Key Management → Trusted CAs.

    You might want to click the Serial Number and copy the Issuer distinguished name (DN) to use in later steps.

  3. In the <pf_install>/pingfederate/bin/run.properties file, change the value of the pf.console.authentication property as shown. pf.console.authentication=cert

  4. In the <pf_install>/pingfederate/bin/cert_auth.properties file, enter the Issuer DN for the client certificate as a value for the property rootca.issuer.x, where x is a sequential number starting at 1.

    If you copied the Issuer DN after step 2, paste this value. For more information, see the comments in the file.

    The roles configured in the properties file apply to both the administrative console and the administrative API.

  5. Repeat the previous step for any additional CAs as needed.

  6. Enter the certificate user’s Subject DN for the applicable PingFederate permission roles, as described in the properties file.

    The configuration values are case-sensitive.

  7. Repeat the previous step for all users as needed.

    Other settings in the properties file are used to display the user’s ID (Subject DN) in abbreviated form in the administrative console.

  8. Start or restart PingFederate.