PingFederate Server

Configuring forward proxy server settings

You can configure PingFederate to send web traffic, such as HTTP and HTTPS, so that it initiates through a forward proxy server.

Steps

  1. Edit the <pf_install>/pingfederate/bin/run.properties file.

  2. Locate for the following properties:

    #http.proxyHost=<HTTP_PROXY_HOST>
#http.proxyPort=<HTTP_PROXY_PORT>
#http.proxyUser=<HTTP_PROXY_USER>
#http.proxyPassword=<HTTP_PROXY_PASSWORD>
#https.proxyHost=<HTTPS_PROXY_HOST>
#https.proxyPort=<HTTPS_PROXY_PORT>
#https.proxyUser=<HTTPS_PROXY_USER>
#https.proxyPassword=<HTTPS_PROXY_PASSWORD>
#http.nonProxyHosts=*.internal.com|localhost

  3. Optional: Configure forward proxy server settings for HTTP traffic:

    1. Remove the number sign (#) in front of http.proxyHost and http.proxyPort.

    2. Enter the host name or the IP address of the forward proxy server.

    3. To specify a username and password that are required to connect to the forward proxy server, uncomment http.proxyUser and http.proxyPassword.

    4. Enter the username and password credentials.

  4. Optional: Configure forward proxy server settings for HTTPS traffic:

    1. Remove the number sign in front of https.proxyHost and https.proxyPort.

    2. Enter the host name or the IP address of the forward proxy server.

    3. To specify a username and password that are required to connect to the forward proxy server, uncomment https.proxyUser and https.proxyPassword.

    4. Enter the username and password credentials.

      The http.proxyUser and https.proxyUser settings both support obfuscation and secret manager references. For more information, see Secret managers.

      You can obfuscate the password used to access the forward proxy server by running the obfuscate utility, located in the <pf_install>/pingfederate/bin directory:

      • obfuscate.bat for Windows

      • obfuscate.sh for Linux

      Use the actual password as an argument and copy the entire result into the value for the password parameter in run.properties.

  5. Optional: Configure an exclusion list:

    1. Remove the number sign in front of http.nonProxyHosts.

    2. Specify one or more destinations where PingFederate is not required to proxy its HTTP and HTTPS traffic through the forward proxy server.

    This property supports multiple values separated by the pipe character (\|) and the wildcard character (#) for pattern matching.
    *.example.com\|localhost

  6. Optional: If you want to enable basic authentication for an HTTP or HTTPS target site, you can remove Basic from jdk.http.auth.proxying.disabledSchemes=Basicorjdk.http.auth.tunneling.disabledSchemes=Basic, respectively.

    You should only use digest authentication with proxy servers. Basic authentication is not recommended because the proxy credentials are transmitted to the server without encryption.

  7. Save your changes.

  8. Restart PingFederate.

For a clustered PingFederate environment, repeat these steps on each node.