Configuring an OAuth client in PingFederate for PingIntelligence Dashboard SSO
Configure an OAuth client in PingFederate for PingIntelligence Dashboard single sign-on (SSO).
About this task
For more information on creating and configuring an OAuth client in PingFederate, see Managing OAuth clients.
Steps
-
Create and configure an OAuth client in PingFederate with the following configuration details.
Option Description Client ID
Create an OAuth client in PingFederate with Client ID as PingIntelligence. You can use any other value for Client ID in place of PingIntelligence.
Client Authentication
The current release of PingIntelligence Dashboard supports NONE and CLIENT SECRET authentication methods.
Client TLS Certificate authentication and Private Key JWT based authentication are not supported by the Dashboard.
When CLIENT SECRET is selected as the client authentication method, you can generate a random client secret or use a custom secret, which is used by PingIntelligence Dashboard for client authentication.
Require Signed Request
Do not enable.
PingIntelligence Dashboard does not support signed requests.
Redirection URIs
Set the redirection URI in the PingFederate OAuth client configuration. The path in the URI is as follows:
https://pi_install_host:8030/login/oauth2/code/PingIntelligence
.Do not change the path in the URI, just substitute the hostname. For example,
https://172.16.40.180:8030/login/oauth2/code/PingIntelligence
.Claims
The following Claims must be configured in PingFederate, and are mandatory for a successful authentication of a logged in user in PingIntelligence Dashboard.
-
A Claim for Subject Identifier, which should provide the unique identifier for the logged in user.
-
A Claim for providing First Name.
-
A Claim for providing Last Name.
-
A Claim for providing the Role information.
PingIntelligence Dashboard fetches the claims for an authenticated User from the PingFederate UserInfo endpoint.
In PingIntelligence 4.4, the supported values for the Role Claim are ADMIN and REGULAR. They are case-sensitive, if a blank or any other value is configured, SSO will fail. Roles assigned to Users with in an enterprise should be mapped to ADMIN or REGULAR.
PingIntelligence 4.4.1 and later versions support both single or multiple values for the Role Claim. If you are configuring the Role Claim with a single value then the allowed values are ADMIN and REGULAR and they are case-sensitive.
If multiple values are sent, then one of the values must end with either of the following, and the values are not case-sensitive:
-
Ping-Dashboard-Admin
-
Ping-Dashboard-Regular
If multiple values are configured for the Role Claim and one of them is an Admin role, then the Admin role takes a precedence.
Scopes
The Scopes required to be configured in PingFederate for PingIntelligence Dashboard application are:
-
Mandatory Scopes-
profile
andopenid
-
Additional Scopes
The Claims configured for PingIntelligence Dashboard can be mapped to the Mandatory Scope profile or to one or more Additional Scopes.
Allowed Grant Types
Enable Authorization Code. PingIntelligence Dashboard supports only Authorization Code as the grant type.
Restrict Response Types
If enabled, select
code
.Proof Key For Code Exchange (PKCE)
Do not enable.
PingIntelligence Dashboard does not support PKCE.
ID Token Signing Algorithm
The supported ID Token Signing Algorithms are:
-
Default
-
RSA using SHA-256
ID Token Key Management Encryption Algorithm
Select No Encryption because encryption is not supported by PingIntelligence Dashboard.
-