Configuring forward proxy server settings
You can configure PingFederate to send web traffic, such as HTTP and HTTPS, so that it initiates through a forward proxy server.
Steps
-
Edit the
<pf_install>/pingfederate/bin/run.properties
file. -
Locate for the following properties:
#http.proxyHost=<HTTP_PROXY_HOST> #http.proxyPort=<HTTP_PROXY_PORT> #http.proxyUser=<HTTP_PROXY_USER> #http.proxyPassword=<HTTP_PROXY_PASSWORD> #https.proxyHost=<HTTPS_PROXY_HOST> #https.proxyPort=<HTTPS_PROXY_PORT> #https.proxyUser=<HTTPS_PROXY_USER> #https.proxyPassword=<HTTPS_PROXY_PASSWORD> #http.nonProxyHosts=*.internal.com|localhost
-
Optional: Configure forward proxy server settings for HTTP traffic:
-
Remove the number sign (
#
) in front ofhttp.proxyHost
andhttp.proxyPort
. -
Enter the host name or the IP address of the forward proxy server.
-
To specify a username and password that are required to connect to the forward proxy server, uncomment
http.proxyUser
andhttp.proxyPassword
. -
Enter the username and password credentials.
-
-
Optional: Configure forward proxy server settings for HTTPS traffic:
-
Remove the number sign in front of
https.proxyHost
andhttps.proxyPort
. -
Enter the host name or the IP address of the forward proxy server.
-
To specify a username and password that are required to connect to the forward proxy server, uncomment
https.proxyUser
andhttps.proxyPassword
. -
Enter the username and password credentials.
The
http.proxyUser
andhttps.proxyUser
settings both support obfuscation and secret manager references. For more information, see Secret managers.You can obfuscate the password used to access the forward proxy server by running the obfuscate utility, located in the
<pf_install>/pingfederate/bin
directory:-
obfuscate.bat
for Windows -
obfuscate.sh
for Linux
Use the actual password as an argument and copy the entire result into the value for the password parameter in
run.properties
. -
-
-
Optional: Configure an exclusion list:
-
Remove the number sign in front of
http.nonProxyHosts
. -
Specify one or more destinations where PingFederate is not required to proxy its HTTP and HTTPS traffic through the forward proxy server.
This property supports multiple values separated by the pipe character (
\|
) and the wildcard character (#
) for pattern matching.
*.example.com\|localhost
-
-
Optional: If you want to enable basic authentication for an HTTP or HTTPS target site, you can remove
Basic
fromjdk.http.auth.proxying.disabledSchemes=Basic
orjdk.http.auth.tunneling.disabledSchemes=Basic
, respectively.You should only use digest authentication with proxy servers. Basic authentication is not recommended because the proxy credentials are transmitted to the server without encryption.
-
Save your changes.
-
Restart PingFederate.
For a clustered PingFederate environment, repeat these steps on each node.