PingOne

Setting up SSO to PingDirectory

To set up SSO access from the admin console to PingDirectory, configure PingOne, configure PingDirectory, and then test the sign-on experience.

Before you begin

Ensure that you have:

  • A PingDirectory server that accepts LDAPS connections.

    This server will host the admin console that is being configured for SSO.

  • The host name and port for the PingDirectory server.

  • A PingOne account.

    For more information, see Getting started with PingOne SSO.

  • A PingOne environment that includes PingDirectory. Learn more in Adding an environment and Adding a service to an environment.

    When creating a new environment for this purpose, select Customer solution for the environment type.

You can use groups to organize user identities, as explained in Groups. You can also set access to applications, as explained in Application access control.

About this task

During this process, you’ll:

  • Set up matching users between PingOne and the PingDirectory environments that allows the server’s All Admin Users identity mapper to map the PingOne ID token to a Directory Server LDAP user.

  • Set up the OpenID Connect application in PingOne.

  • Configure the PingOne console and the PingDirectory server.

Linking PingOne to PingDirectory

Configure a link to connect PingOne and PingDirectory.

Before you begin

Ensure that you have the values for hostname and port for the PingDirectory server. Contact the PingDirectory admin for these values.

Steps

  1. In PingOne, click Overview.

  2. Under Services, locate the PingDirectory tile.

  3. Click the Add Admin UI Link button.

  4. For Admin URL, enter https://<hostname>:<port>/console/login.

    Replace <hostname> and <port> with the values for the PingDirectory server.

    You can specify the LDAP server that you want to bind to using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingDirectory servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows.

    https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
  5. Click Save.

Configuring matching administrator accounts

Set up user accounts for the users you want to SSO to PingDirectory. You can repeat this procedure for multiple user accounts.

Steps

  1. In PingOne, go to Directory > Users.

  2. Locate the user you want to configure, and click the user entry to open the details panel.

  3. Click the Profile tab and copy the following values to a secure location:

    • User name

    • Given name

    • Family name

  4. Open a terminal window.

  5. Run the following dsconfig command. Replace the <Username>, <GivenName>, and <FamilyName> variables with the values you copied from the PingOne user details panel.

    ~/<pd_install>/dsconfig create-root-dn-user --user-name <Username> \
      --set first-name:<Given Name> \
      --set last-name:<Family Name>

Adding the OIDC application to PingOne

In PingOne, add an OIDC application that connects to PingDirectory.

Steps

  1. Go to Applications > Applications.

  2. Click the icon.

  3. Enter the following:

    • Application Name: PingDirectory Administrative Console

    • Description: Application for the PingDirectory Administrative Console

    • Application Type: OIDC

  4. Click Save.

  5. Click the application entry to open the details panel.

  6. Click the Configuration tab and then click the pencil icon.

  7. Enter or edit the following values:

    • Response Type: Code

    • Grant Type: Authorization Code

    • Token Endpoint Authentication Method: Client Secret Basic

    • Redirect URIs: https://<hostname>:<port>/console/oidc/cb

      Replace the variables with the values for the PingDirectory server hostname and port. To find the port, run the status command from the bin directory.

      Step 0.0.0.0:11443 : HTTPS    : Enabled  : HTTPS Connection Handler

      For more information about configuring OIDC applications, see Editing an application - OIDC.

  8. Click the Attribute Mappings tab and enter or edit the following mapping.

    "sub" = "UserName"
  9. Click Save.

  10. Click the toggle switch to enable the application.

Configuring the application in PingDirectory

Modify the config file in PingDirectory to add the PingOne console.

Steps

  1. In PingOne, go to Applications > Applications.

  2. Click the application you created to open the details panel.

  3. Click the Configuration tab and copy the following values to a secure location:

    • Issuer

    • Client ID

    • Client Secret

  4. Locate the PingDirectory config file at:

    PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig
  5. Make a copy of the config file and leave the original file intact.

  6. Open the copy of the config file in a text editor.

  7. Replace the variables with the values you copied from PingOne.

    # Create an ID token validator suitable for verifying ID tokens generated
    # by the PingOne service. The "All Admin Users" identity mapper will be used
    # to match users that authenticate with PingOne to either root DN users or
    # topology admin users defined in the server configuration.
    dsconfig create-id-token-validator \
    --validator-name "PingOne ID Token Validator" \
    --type ping-one \
    --set enabled:true \
    --set "identity-mapper:All Admin Users" \
    --set evaluation-order-index:1 \
    --set issuer-url:<PING_ONE_APPLICATION_ISSUER_URL>
    
    [...]
    
    # Configure the Administrative Console with your application's client
    # credentials and issuer URI.
    dsconfig set-web-application-extension-prop \
    --extension-name Console \
    --set sso-enabled:true \
    --set oidc-client-id:<PING_ONE_APPLICATION_CLIENT_ID>  \
    --set oidc-client-secret:<PING_ONE_APPLICATION_CLIENT_SECRET>  \
    --set oidc-issuer-url:<PING_ONE_APPLICATION_ISSUER_URL>
  8. Run the following dsconfig command.

    dsconfig --batch-file \
        enable-pingone-admin-console-sso-copy.dsconfig \
        --no-prompt

Verifying single sign-on

Test the single sign-on experience from the PingOne admin console.

Steps

  1. In PingOne, click Overview.

  2. Under Services, locate the PingDirectory tile.

  3. Click PingDirectory.

    Result:

    A PingOne sign-on page opens.

  4. Sign on using the credentials for an admin user.

Result

The PingDirectory Server administrative console home page opens.