--- title: Configure authentication - SSO with PingFederate description: "PingIntelligence for APIs Dashboard provides two methods for user authentication: native or single sign-on (SSO)." component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_configure_authentication_sso_pf canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_configure_authentication_sso_pf.html revdate: April 3, 2024 section_ids: sso-configuration-for-pingintelligence-for-apis-dashboard: SSO configuration for PingIntelligence for APIs Dashboard verify-the-prerequisites: Verify the prerequisites configure-oauth-client-in-pingfederate: Configure OAuth client in PingFederate configure-webgui-properties-file: Configure webgui.properties file configure-sso-properties-file-in-dashboard: Configure SSO properties file in Dashboard import-the-pingfederate-ssl-server-certificate: Import the PingFederate SSL server certificate obfuscate-sso-properties: Obfuscate sso.properties start-pingintelligence-for-apis-dashboard: Start PingIntelligence for APIs Dashboard --- # Configure authentication - SSO with PingFederate PingIntelligence for APIs Dashboard provides two methods for user authentication: native or single sign-on (SSO). You can configure the authentication method by configuring `pi.webgui.server.authentication-mode` property in the `/pingidentity/webgui/config/webgui.properties` file. The default authentication method is `native`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | SSO authentication should be used only for production deployments. Use native authentication for Proof of Concept deployments. | ## SSO configuration for PingIntelligence for APIs Dashboard SSO configuration for the PingIntelligence Dashboard involves configuring both Dashboard and PingFederate. The following is a summary of configuration steps: 1. Verify the prerequisites. 2. Configure an OAuth client in PingFederate. 3. Configure the `webgui.properties` file. 4. Configure the `sso.properties` file in the Dashboard. 5. Import the PingFederate SSL server certificate. 6. Obfuscate `sso.properties`. 7. Start the Dashboard. ## Verify the prerequisites Ensure the following prerequisites are complete before SSO configuration: * PingFederate is installed and configured to support OpenID Connect (OIDC) SSO for any client. The current supported PingFederate versions are 9.3 or 10.1. * PingIntelligence for APIs Dashboard is installed. ## Configure OAuth client in PingFederate Creating and configuring an OAuth client in PingFederate is an essential step for PingIntelligence Dashboard's SSO authentication. If the OAuth client is not correctly configured in PingFederate, authentication failure will occur. To configure an OAuth client, complete the steps in [Configuring an OAuth client in PingFederate for PingIntelligence Dashboard SSO](pingintelligence_configure_oauth_pf.html). ## Configure `webgui.properties` file Edit the `/pingidentity/webgui/config/webgui.properties` to set the value of `pi.webgui.server.authentication-mode` to `sso` to configure authentication using SSO. ``` # Authentication mode # valid values: native, sso pi.webgui.server.authentication-mode=sso ``` ## Configure SSO properties file in Dashboard Configure the `/pingidentity/webgui/sso.properties` file to complete the PingIntelligence Dashboard's SSO authentication. For more information, see [Configuring Dashboard `sso.properties` for PingFederate](pingintelligence_configure_dashboard__sso_pf.html). ## Import the PingFederate SSL server certificate After the PingIntelligence Dashboard configuration for SSO is complete, import PingFederate's SSL server certificate to the PingIntelligence Dashboard's truststore `/pingidentity/webgui/config/webgui.jks`. Complete the following steps to import SSL certificate: 1. Copy PingFederate's SSL server certificate to `/pingidentity/webgui/config/ directory`. 2. Execute the following command: ``` # cd /pingidentity/webgui/config/ keytool -import -trustcacerts -file -alias pi-sso -keystore webgui.jks ``` | | | | - | ---------------------------------------------------------------------------------- | | | The default password to import `pf_certificate.crt` to `webgui.jks` is `changeme`. | ## Obfuscate `sso.properties` You can obfuscate keys added in SSO properties using the following commands: ``` # cd /pingidentity/webgui # ./bin/cli.sh obfuscate_keys ``` ## Start PingIntelligence for APIs Dashboard Start the PingIntelligence for APIs Dashboard. For more information, see [Starting and stopping thePingIntelligenceDashboard](pingintelligence_dashboard_start_stop.html). When the PingIntelligence Dashboard is started successfully, access it using `https://:8030`. The Dashboard will start SSO Authentication, and a new session will get created for the logged-in users. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Every PingIntelligence Dashboard SSO authentication event is attached with a `unique ID`, which is logged in `/pingidentity/webgui/logs/admin/sso.log`. | If SSO authentication fails for any reason, PingIntelligence Dashboard shows the following error message. ![Screen capture of the PingIntelligence Dashboard error message for SSO failure.](../_images/pfr1602562592515.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can filter `sso-event-ref = ` in the `/pingidentity/webgui/logs/admin/sso.log` file to find the reason for SSO failure. |