PingIntelligence

Configuring an OAuth client in PingFederate for PingIntelligence Dashboard SSO

Configure an OAuth client in PingFederate for PingIntelligence Dashboard single sign-on (SSO).

About this task

For more information on creating and configuring an OAuth client in PingFederate, see Managing OAuth clients.

Steps

  • Create and configure an OAuth client in PingFederate with the following configuration details.

    Option Description

    Client ID

    Create an OAuth client in PingFederate with Client ID as PingIntelligence. You can use any other value for Client ID in place of PingIntelligence.

    Client Authentication

    The current release of PingIntelligence Dashboard supports NONE and CLIENT SECRET authentication methods.

    Client TLS Certificate authentication and Private Key JWT based authentication are not supported by the Dashboard.

    When CLIENT SECRET is selected as the client authentication method, you can generate a random client secret or use a custom secret, which is used by PingIntelligence Dashboard for client authentication.

    Require Signed Request

    Do not enable.

    PingIntelligence Dashboard does not support signed requests.

    Redirection URIs

    Set the redirection URI in the PingFederate OAuth client configuration. The path in the URI is as follows: https://pi_install_host:8030/login/oauth2/code/PingIntelligence.

    Do not change the path in the URI, just substitute the hostname. For example, https://172.16.40.180:8030/login/oauth2/code/PingIntelligence.

    Claims

    The following Claims must be configured in PingFederate, and are mandatory for a successful authentication of a logged in user in PingIntelligence Dashboard.

    • A Claim for Subject Identifier, which should provide the unique identifier for the logged in user.

    • A Claim for providing First Name.

    • A Claim for providing Last Name.

    • A Claim for providing the Role information.

    PingIntelligence Dashboard fetches the claims for an authenticated User from the PingFederate UserInfo endpoint.

    In PingIntelligence 4.4, the supported values for the Role Claim are ADMIN and REGULAR. They are case-sensitive, if a blank or any other value is configured, SSO will fail. Roles assigned to Users with in an enterprise should be mapped to ADMIN or REGULAR.

    PingIntelligence 4.4.1 and later versions support both single or multiple values for the Role Claim. If you are configuring the Role Claim with a single value then the allowed values are ADMIN and REGULAR and they are case-sensitive.

    If multiple values are sent, then one of the values must end with either of the following, and the values are not case-sensitive:

    • Ping-Dashboard-Admin

    • Ping-Dashboard-Regular

    If multiple values are configured for the Role Claim and one of them is an Admin role, then the Admin role takes a precedence.

    Scopes

    The Scopes required to be configured in PingFederate for PingIntelligence Dashboard application are:

    • Mandatory Scopes- profile and openid

    • Additional Scopes

    The Claims configured for PingIntelligence Dashboard can be mapped to the Mandatory Scope profile or to one or more Additional Scopes.

    Allowed Grant Types

    Enable Authorization Code. PingIntelligence Dashboard supports only Authorization Code as the grant type.

    Restrict Response Types

    If enabled, select code.

    Proof Key For Code Exchange (PKCE)

    Do not enable.

    PingIntelligence Dashboard does not support PKCE.

    ID Token Signing Algorithm

    The supported ID Token Signing Algorithms are:

    • Default

    • RSA using SHA-256

    ID Token Key Management Encryption Algorithm

    Select No Encryption because encryption is not supported by PingIntelligence Dashboard.