Configuring Dashboard sso.properties for PingOne

About this task

To complete the Dashboard’s SSO authentication, configure the <pi_installation_path>/pingidentity/webgui/sso.properties file.

Steps

To complete the Dashboard’s SSO authentication, configure the <pi_installation_path>/pingidentity/webgui/sso.properties file. The following table describes the SSO properties.

Property Mandatoy Description

Property	Mandatoy	Description
`pi.webgui.sso.oidc.provider.issuer-uri`	Yes	Configure the Issuer URI auto generate in PingOne for PingIntelligence Dashboard application. For more information, see step-6 in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard.
`pi.webgui.sso.oidc.client.id`	Yes	Configure the client ID. Make sure to configure the same value auto generated in PingOne for PingIntelligence Dashboard application. For more information, see step-6 in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard.
`pi.webgui.sso.oidc.client.secret`	This is a required property only if the value of the property `pi.webgui.sso.oidc.client.authentication-method` is not set to NONE.	Configure the client secret value in plain-text. Make sure to configure the same value auto generated in PingOne for PingIntelligence Dashboard application. For more information, see step-6 in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard..
`pi.webgui.sso.oidc.client.authentication-method`	Yes	Configure the PingOne OIDC application authentication method. The possible values are: BASIC - Basic authentication header based client authentication POST - Client credentials sent in POST body for authentication NONE - Client does not authenticate itself The default value is BASIC. NOTE: If the Authentication method in the OIDC application created in PingOne is set to None, then use NONE for this property. If Authentication is set to Client Secret Basic, Client Secret Post use BASIC or POST.
`pi.webgui.sso.oidc.provider.user-uniqueid-claim-name`	Yes	The value of this property should be `sub`. It defaults to the value of User ID in PingOne OIDC Attributes.
`pi.webgui.sso.oidc.provider.user-first-name-claim-name`	Yes	The value of this property should be the PingOne OIDC Attribute value that holds the first name of the signed-on user. The default value for the claim is `given_name`.
`pi.webgui.sso.oidc.provider.user-last-name-claim-name`	Yes	The value of this property should be the PingOne OIDC Attribute value that holds the last name of the signed-on user. The default value for the claim is `family_name`.
`pi.webgui.sso.oidc.provider.user-role-claim-name`	Yes	The value of this property should be the PingOne OIDC Attribute value that holds the role of the signed-on user. The default value in Dashboard is `role`. Supported values for the Role claim are ADMIN and REGULAR.
`pi.webgui.sso.oidc.client.additional-scopes`	No	Not applicable for PingOne SSO configuration

pi.webgui.sso.oidc.provider.issuer-uri

Yes

Configure the Issuer URI auto generate in PingOne for PingIntelligence Dashboard application.

For more information, see step-6 in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard.

pi.webgui.sso.oidc.client.id

Yes

Configure the client ID. Make sure to configure the same value auto generated in PingOne for PingIntelligence Dashboard application. For more information, see step-6 in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard.

pi.webgui.sso.oidc.client.secret

This is a required property only if the value of the property pi.webgui.sso.oidc.client.authentication-method is not set to NONE.

Configure the client secret value in plain-text. Make sure to configure the same value auto generated in PingOne for PingIntelligence Dashboard application. For more information, see step-6 in Configuring an OIDC Application in PingOne for PingIntelligence Dashboard..

pi.webgui.sso.oidc.client.authentication-method

Yes

Configure the PingOne OIDC application authentication method. The possible values are:

BASIC - Basic authentication header based client authentication
POST - Client credentials sent in POST body for authentication
NONE - Client does not authenticate itself

The default value is BASIC. NOTE: If the Authentication method in the OIDC application created in PingOne is set to None, then use NONE for this property. If Authentication is set to Client Secret Basic, Client Secret Post use BASIC or POST.

pi.webgui.sso.oidc.provider.user-uniqueid-claim-name

Yes

The value of this property should be sub. It defaults to the value of User ID in PingOne OIDC Attributes.

pi.webgui.sso.oidc.provider.user-first-name-claim-name

Yes

The value of this property should be the PingOne OIDC Attribute value that holds the first name of the signed-on user.

The default value for the claim is given_name.

pi.webgui.sso.oidc.provider.user-last-name-claim-name

Yes

The value of this property should be the PingOne OIDC Attribute value that holds the last name of the signed-on user.

The default value for the claim is family_name.

pi.webgui.sso.oidc.provider.user-role-claim-name

Yes

The value of this property should be the PingOne OIDC Attribute value that holds the role of the signed-on user.

The default value in Dashboard is role. Supported values for the Role claim are ADMIN and REGULAR.

pi.webgui.sso.oidc.client.additional-scopes

Not applicable for PingOne SSO configuration

The following is a sample snippet of sso.properties.

## PingIntelligence WebGUI SSO properties file
# This is in standard java properties file format
# comments are denoted by number sign (#) as the first non blank character
# multiline values are ended with '\' as end of line

# OIDC Provider uri
# WebGUI queries <issuer-uri>/.well-known/openid-configuration to get OIDC provider metadata
# issuer ssl certificate is not trusted by default. So import issuer ssl certificate into config/webgui.jks
# issuer should be reachable from both back-end and front-end
 pi.webgui.sso.oidc.provider.issuer-uri=https://auth.pingone.asia/7e49bb56-72f8-485d-810e-ae3d619ca670/as

# OIDC Client id
 pi.webgui.sso.oidc.client.id=PingIntelligence

# OIDC Client secret
# This can be empty
 pi.webgui.sso.oidc.client.secret=OBF:AES:BcB3MOE/K+VAa579oBpky4PrIo4z9LnI4vXsltqI=

# OIDC Client authentication mode.
# Valid values: BASIC, POST, and NONE
 pi.webgui.sso.oidc.client.authentication-method=BASIC

# claim name for unique id of the user in UserInfo response
# a new user is provisioned using this unique id value
 pi.webgui.sso.oidc.provider.user-uniqueid-claim-name=sub

# claim name for first name of the user in UserInfo response
# either first name or last name can be empty, but both should not be empty
 pi.webgui.sso.oidc.provider.user-first-name-claim-name=given_name

# claim name for last name of the user in UserInfo response
# either first name or last name can be empty, but both should not be empty
 pi.webgui.sso.oidc.provider.user-last-name-claim-name=family_name

# claim name for role of the user in UserInfo response
# valid values for roles are ADMIN and REGULAR
 pi.webgui.sso.oidc.provider.user-role-claim-name=role

# additional scopes in authorization request
# multiple scopes should be comma (,) separated
# openid,profile scopes are always requested
pi.webgui.sso.oidc.client.additional-scopes=exclusive

Next steps

Complete steps 4-6 Configuring SSO with PingOne.