Setting up SSO to PingDirectory
To set up single sign-on (SSO) access from the admin console to PingDirectory, configure PingOne, configure PingDirectory, and then test the sign-on experience.
Before you begin
Ensure that you have:
-
A PingDirectory server that accepts LDAPS connections.
This server will host the admin console that is being configured for SSO.
-
The host name and port for the PingDirectory server.
-
A PingOne account.
Learn more in Getting started with PingOne SSO.
-
A PingOne environment that includes PingDirectory. Learn more in Adding an environment and Adding a service to an environment.
When creating a new environment for this purpose, select Customer solution for the environment type.
You can use groups to organize user identities, as explained in Groups. You can also set access to applications, as explained in Application access control. |
About this task
During this process, you’ll:
-
Set up matching users between PingOne and the PingDirectory environments that allows the server’s
All Admin Users
identity mapper to map the PingOne ID token to a Directory Server LDAP user. -
Set up the OpenID Connect (OIDC) application in PingOne.
-
Configure the PingOne console and the PingDirectory server.
Linking PingOne to PingDirectory
Configure a link to connect PingOne and PingDirectory.
Before you begin
Ensure that you have the values for host name and port for the PingDirectory server. Contact the PingDirectory administrator for these values.
Steps
-
In PingOne, click Overview.
-
In the Services section, locate the PingDirectory tile.
-
Click Add Admin UI Link.
-
For Admin URL, enter
https://<hostname>:<port>/console/login
.Replace <hostname> and <port> with the values for the PingDirectory server.
You can specify the LDAP server that you want to bind to using the query parameters
ldap-hostname
andldaps-port
when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingDirectory servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows.https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
-
Click Save.
Configuring matching administrator accounts
Set up user accounts for the users you want to SSO to PingDirectory. You can repeat this procedure for multiple user accounts.
Steps
-
In PingOne, go to Directory > Users.
-
Locate the user you want to configure, and click the user entry to open the details panel.
-
Click the Profile tab and copy the following values to a secure location:
-
User name
-
Given name
-
Family name
-
-
Open a terminal window.
-
Run the following
dsconfig
command. Replace the <Username>, <GivenName>, and <FamilyName> variables with the values you copied from the PingOne user details panel.~/<pd_install>/dsconfig create-root-dn-user --user-name <Username> \ --set first-name:<Given Name> \ --set last-name:<Family Name>
Adding the OIDC application to PingOne
In PingOne, add an OpenID Connect (OIDC) application that connects to PingDirectory.
Steps
-
Go to Applications > Applications.
-
Click the icon.
-
Enter the following:
-
Application Name: PingDirectory Administrative Console
-
Description: Application for the PingDirectory Administrative Console
-
Application Type: OIDC
-
-
Click Save.
-
Click the application entry to open the details panel.
-
On the Configuration tab, click the Pencil icon.
-
Enter or edit the following values:
-
Response Type: Code
-
Grant Type: Authorization Code
-
Token Endpoint Authentication Method: Client Secret Basic
-
Redirect URIs:
https://<hostname>:<port>/console/oidc/cb
Replace the variables with the values for the PingDirectory server hostname and port. To find the port, run the
status
command from thebin
directory.Step 0.0.0.0:11443 : HTTPS : Enabled : HTTPS Connection Handler
Learn more about configuring OIDC applications in Editing an application - OIDC.
-
-
Click the Attribute Mappings tab and enter or edit the following mapping.
"sub" = "UserName"
-
Click Save.
-
Click the toggle to enable the application.
Configuring the application in PingDirectory
Modify the config file in PingDirectory to add the PingOne console.
Steps
-
In PingOne, go to Applications > Applications.
-
Click the application you created to open the details panel.
-
Click the Configuration tab and copy the following values to a secure location:
-
Issuer
-
Client ID
-
Client Secret
-
-
Locate the PingDirectory config file at:
PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig
-
Make a copy of the config file and leave the original file intact.
-
Open the copy of the config file in a text editor.
-
Replace the variables with the values you copied from PingOne.
# Create an ID token validator suitable for verifying ID tokens generated # by the PingOne service. The "All Admin Users" identity mapper will be used # to match users that authenticate with PingOne to either root DN users or # topology admin users defined in the server configuration. dsconfig create-id-token-validator \ --validator-name "PingOne ID Token Validator" \ --type ping-one \ --set enabled:true \ --set "identity-mapper:All Admin Users" \ --set evaluation-order-index:1 \ --set issuer-url:<PING_ONE_APPLICATION_ISSUER_URL> [...] # Configure the Administrative Console with your application's client # credentials and issuer URI. dsconfig set-web-application-extension-prop \ --extension-name Console \ --set sso-enabled:true \ --set oidc-client-id:<PING_ONE_APPLICATION_CLIENT_ID> \ --set oidc-client-secret:<PING_ONE_APPLICATION_CLIENT_SECRET> \ --set oidc-issuer-url:<PING_ONE_APPLICATION_ISSUER_URL>
-
Run the following
dsconfig
command.dsconfig --batch-file \ enable-pingone-admin-console-sso-copy.dsconfig \ --no-prompt
Verifying single sign-on
Test the single sign-on experience from the PingOne admin console.
Steps
-
In PingOne, click Overview.
-
Under Services, locate the PingDirectory tile.
-
Click PingDirectory.
Result:
A PingOne sign-on page opens.
-
Sign on using the credentials for an admin user.
Result
The PingDirectory Server administrative console home page opens.