PingOne

Setting up SSO to PingAccess

To set up single sign-on (SSO) access from the PingOne admin console to PingAccess, configure PingOne and PingAccess, and then test the sign-on experience.

Before you begin

Ensure that you have:

  • A licensed version of PingAccess

  • A PingOne account

Configuring PingOne for SSO in PingAccess

About this task

To configure PingOne for SSO in PingAccess:

Steps

  1. In the PingOne admin console, add a new attribute for PingAccess administrator roles:

    1. Go to Directory > User Attributes and click .

    2. In the Add Attribute panel, select Declared and click Next.

      Declared attributes maintain the values of the claims that authorize access to other products.

    3. Enter the following information:

      • Name: PingAccess-Role (this value is case sensitive)

      • Display Name: PingAccess Role

      • Description (optional): Enter a brief description of this attribute that distinguishes it from others.

    4. Click Save.

  2. Create a new connection:

    1. Go to Applications > Applications and click .

    2. In the Add Application panel, enter the following information:

      • Application Name: A name that helps you recognize this connection, such as The PingOne Admin Console SSO PingAccess.

      • Description (optional): A brief description of this application that distinguishes it from others.

    3. For Application Type, select OIDC Web App and click Save.

    4. In the application details panel, on the Configuration tab, click the Pencil icon.

    5. Locate the Redirect URIs field and enter the appropriate URL.

      Example:

      For example, https://<FQDNofPAServer>:9000/pa/oidc/cb, where <FQDNofServer> is the machine name or fully qualified domain name of your PingAccess server, such as https://localhost:9000/pa/oidc/cb.

    6. Click Save.

    7. On the Resources tab, click the Pencil icon.

    8. In the Scopes list, locate the profile scope and select the checkbox to add it to the Selected Scopes section.

      A screen capture of the Edit Resources page displaying the email and profile scopes in the list of allowed scopes.

    9. Click Save.

    10. On the Attribute Mappings tab, click the Pencil icon.

    11. Click Add and add the following attribute mapping:

      Attributes PingOne Mappings

      PingAccess Role

      PingAccess Role

    12. Click Advanced Configurations.

    13. For the attributes you just mapped, select the Required checkbox.

    14. Click Save.

  3. To enable the application, click the toggle at the top of the details panel to the right (blue).

    You can disable the application by clicking the toggle to the left (gray).

  4. Add a new PingAccess administrator and define their role and responsibilities.

    1. Go to Directory > Users and click .

    2. On the Add User panel, enter a username for a PingAccess administrator with the Administrator role assigned in PingAccess and select a population to which the administrator should belong.

      Learn more in Admin UI SSO authentication in the PingAccess documentation.

    3. Click Save.

    4. In the Profile tab, click the Pencil icon and, in the Custom Attributes section, click Add.

    5. In the New Attribute list, select PingAccess Role and enter fullAdmin.

    6. Click Save.

    7. In the user details panel, go to the Roles > Administrator Roles tab, and click Grant Roles.

    8. In Available Responsibilities, click Environment Admin and select the checkboxes for the organizations and environments where the administrator should have this role.

    9. Click Save.

    10. Click the More Options (⋮) icon and select Reset Password.

    11. Select Force password reset on next sign on.

    12. Click Save.

  5. Go to Applications > Applications and locate the application you created earlier.

  6. Click the application entry to open the details panel.

  7. On the Configuration tab, review the configuration information.

    You need this configuration information to configure PingAccess for SSO, so keep this browser window open.
    A screen capture of the Configurations page, which displays configuration information for an application.

Configuring PingAccess

After configuring PingOne for SSO, configure PingAccess.

Steps

  1. In the PingAccess administrative console, go to Settings > System > Token Provider.

  2. On the Token Provider page, select PingOne SSO as the token provider.

  3. In the Issuer field, enter the Issuer ID for the connection you created in PingOne.

    You can find this URL on the Overview tab of the application in PingOne.

    A screen capture of the Token Provider page.

    Learn more in Configuring PingOne in the PingAccess documentatation.

  4. Go to Settings > Admin Authentication > UI Authentication.

  5. On the Authentication Method page, select Single Sign-On and enter or edit the following:

    1. For OpenID Connect Login Type, select Code.

    2. In the Client ID field, enter the Client ID for the connection you created in PingOne.

      You can find Client ID on the Overview tab of the application in PingOne.

    3. For Client Credentials Type, select Secret and enter the Client Secret for the connection you created in PingOne.

      You can find Client Secret on the Overview tab of the application in PingOne.

    4. Click Save.

      A screen capture of the Authentication Method page.

      Learn more in Admin UI SSO authentication in the PingAccess documentation.

Testing SSO to PingAccess

After configuring PingOne and PingAccess, test SSO to PingAccess.

Steps

  1. In the PingOne admin console, click the Ping Identity logo.

    Result:

    The admin console displays the environments to which you have access.

    A screen capture of the environment dashboard.

  2. Click the environment to open the details panel.

  3. Click Manage Environment to go to the Overview page for the environment.

  4. In the Services section, click the PingAccess icon.

    Result:

    The PingAccess administrative console opens.

    Troubleshooting:

    If the OpenID Connect (OIDC) token provider is unreachable:

    1. Review the reason for the failure in the pingaccess.log file.

    2. Enable the default administrator authentication by setting the admin.auth property in the <PA_HOME>/conf/run.properties file.

      Learn more in Editing run.properties to disable SSO in the PingAccess documentation.

    3. In the PingAccess administrative console, edit the admin UI SSO or token provider settings to address the issue.

    4. In the run.properties file, set admin.auth back to default.

      A screen capture of the PingAccess [.filepath]``run.properties`` file with the authentication method paramety highlighted.

    5. Restart PingAccess to test.