PingOne

Setting up SSO to PingDirectory

To set up access from the PingOne admin console to PingDirectory, configure PingOne and PingDirectory and test the sign-on experience.

Before you begin

Ensure that you have:

  • A PingDirectory server that accepts LDAPS connections

    This server will host the admin console that is being configured for SSO.

  • The host name and port for the PingDirectory server

  • A PingOne account

    Learn more in Getting started with PingOne SSO.

  • A PingOne environment that includes PingDirectory.

    Learn more in Adding an environment and Adding a service to an environment.

    When creating a new PingOne environment, select Customer solution for the environment type.

About this task

During this process, you’ll:

  • Set up matching users between PingOne and the PingDirectory environments to allow the server’s All Admin Users identity mapper to map the PingOne ID token to a Directory Server LDAP user.

  • Set up the application in PingOne.

  • Configure the PingOne admin console and PingDirectory server.

Linking PingOne to PingDirectory

Configure a link to connect PingOne and PingDirectory.

Before you begin

Ensure that you have the values for host name and port for the PingDirectory server. Contact the PingDirectory administrator for these values.

Steps

  1. In the PingOne admin console, go to the Overview page.

  2. Locate the PingDirectory tile and click Add Admin UI Link.

  3. For Admin URL, enter https://<hostname>:<port>/console/login.

    Replace <hostname> and <port> with the values for the PingDirectory server.

    You can specify the LDAP server to bind to by using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingDirectory servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows:

    https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>

  4. Click Save.

Configuring matching administrator accounts

Set up user accounts for the users you want to have SSO access to PingDirectory. You can repeat this procedure for multiple user accounts.

Steps

  1. In the PingOne admin console, go to Directory > Users.

  2. Locate the user you want to configure and click the user entry to open the details panel.

  3. On the Profile tab, copy the following values to a secure location:

    • Username

    • Given name

    • Family name

  4. Open a terminal window.

  5. Run the following dsconfig command.

    1. Replace <pd_install> with the PingDirectory version.

    2. Replace the <Username>, <GivenName>, and <FamilyName> variables with the values you copied from the PingOne user details panel.

      ~/<pd_install>/dsconfig create-root-dn-user --user-name <Username> \
  --set first-name:<Given Name> \
  --set last-name:<Family Name>

Adding the OIDC application to PingOne

In PingOne, add an OIDC application that connects to PingDirectory.

Steps

  1. In the PingOne admin console, go to Applications > Applications and click .

  2. Enter the following:

    • Application Name: Enter a name that helps you recognize this connection, such as PingDirectory Administrative Console.

    • Description (optional): Enter a brief description of this application that distinguishes it from others, such as Application for the PingDirectory Administrative Console.

  3. In the Choose Application Type section, select OIDC Web App.

  4. Click Save.

  5. Click the application entry to open the details panel.

  6. On the Configuration tab, click the Pencil icon.

  7. Enter or edit the following values:

    Field Description

    Response Type

    Select the Code checkbox.

    Grant Type

    Select the Authorization Code checkbox.

    Redirect URIs

    Enter https://<hostname>:<port>/console/oidc/cb and replace the variables with the values for the PingDirectory server hostname and port.

    To find the port, run the status command from the bin directory.

    Step 0.0.0.0:11443 : HTTPS    : Enabled  : HTTPS Connection Handler

    Token Endpoint Authentication Method

    Select Client Secret Basic in the list.

    Learn more about configuring OIDC applications in Editing an application - OIDC.

  8. On the Attribute Mappings tab, click the Pencil icon.

  9. For the default sub attribute, select UserName in the PingOne Mappings list.

  10. Click Save.

  11. To enable the application, click the toggle at the top of the details panel to the right (blue).

    You can disable the application by clicking the toggle to the left (gray).

Configuring the application in PingDirectory

Modify the config file in PingDirectory to add the PingOne admin console.

Steps

  1. In the PingOne admin console, go to Applications > Applications and click the application you created to open the details panel.

  2. On the Configuration tab, copy the following values to a secure location:

    • Issuer

    • Client ID

    • Client Secret

  3. Locate the PingDirectory config file at:

    PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig

  4. Make a copy of the config file and leave the original file intact.

  5. Open the copy of the config file in a text editor.

  6. Replace the variables with the values you copied from PingOne.

    # Create an ID token validator suitable for verifying ID tokens generated
# by the PingOne service. The "All Admin Users" identity mapper will be used
# to match users that authenticate with PingOne to either root DN users or
# topology admin users defined in the server configuration.
dsconfig create-id-token-validator \
--validator-name "PingOne ID Token Validator" \
--type ping-one \
--set enabled:true \
--set "identity-mapper:All Admin Users" \
--set evaluation-order-index:1 \
--set issuer-url:<PING_ONE_APPLICATION_ISSUER_URL>

[...]

# Configure the Administrative Console with your application's client
# credentials and issuer URI.
dsconfig set-web-application-extension-prop \
--extension-name Console \
--set sso-enabled:true \
--set oidc-client-id:<PING_ONE_APPLICATION_CLIENT_ID>  \
--set oidc-client-secret:<PING_ONE_APPLICATION_CLIENT_SECRET>  \
--set oidc-issuer-url:<PING_ONE_APPLICATION_ISSUER_URL>

  7. Run the following dsconfig command.

    dsconfig --batch-file \
    enable-pingone-admin-console-sso-copy.dsconfig \
    --no-prompt

Testing SSO to PingDirectory

Test the SSO experience from the PingOne admin console.

Steps

  1. In the PingOne admin console, click Overview.

  2. In the Services section, locate the PingDirectory tile.

  3. Click PingDirectory.

    Result:

    A PingOne sign-on page opens.

  4. Sign on using the credentials for a PingDirectory admin user.

Result

The PingDirectory server administrative console opens.