Configuring SSO with PingOne

This topic discusses steps involved in configuring single sign-on (SSO) to PingIntelligence for APIs Dashboard from PingOne. This feature is available in PingIntelligence for APIs 4.4.1 and later versions.

Before you begin

Verify the following prerequisites for SSO configuration:

An installed PingIntelligence for APIs Dashboard.
Access to the the PingOne administration console console. For more information, see Accessing the admin console home page.

About this task

SSO configuration for PingIntelligence Dashboard involves configuring both Dashboard and PingOne.

Steps

Create an OIDC (OpenID Connect) web application in PingOne to setup SSO to PingIntelligence Dashboard . To configure the OIDC application, complete the steps explained in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard.

Set the value of pi.webgui.server.authentication-mode to sso in <pi_install_dir>/pingidentity/webgui/config/webgui.properties file.

# Authentication mode
# valid values: native, sso
 pi.webgui.server.authentication-mode=sso

PingIntelligence for APIs Dashboard provides two methods for user authentication: native or SSO. SSO authentication should be used only for production deployments. Use native authentication for PoC deployments.

Configure the <pi_install_dir>/pingidentity/webgui/sso.properties file to complete the PingIntelligence Dashboard’s SSO authentication. For more information, see Configuring Dashboard sso.properties for PingOne.

Obfuscate keys added in SSO properties using the following commands.

# cd <pi_install_dir>/pingidentity/webgui
# ./bin/cli.sh obfuscate_keys

Restart the PingIntelligence Dashboard after configuring SSO in PingOne and PingIntelligence Dashboard. For more information, see Start and stop Dashboard.
When the PingIntelligence Dashboard is started successfully, access it using https://<pi_install_host>:8030. The Dashboard will start SSO Authentication, and a new session will get created for the logged-in users.

Troubleshooting

If the SSO authentication fails for any reason, PingIntelligence Dashboard shows the following error message.

Screenshot for PingIntelligence Dashboard SSO error

Every PingIntelligence Dashboard SSO authentication event is attached with a unique ID, which is logged in <pi_install_dir>/pingidentity/webgui/logs/admin/sso.log. You can filter sso-event-ref = <unique ID> in the<pi_install_dir>/pingidentity/webgui/logs/admin/sso.logfile to find the reason for SSO failure.