PingOne

Setting up SSO to PingAccess

To set up single sign-on (SSO) access from the admin console to PingAccess, configure PingOne and PingAccess, and then test the sign-on experience.

Ensure that you have:

  • A licensed version of PingAccess

  • A licensed version of PingOne

Configuring PingOne for SSO in PingAccess

About this task

To configure PingOne for SSO in PingAccess:

Steps

  1. In PingOne, create a new connection:

    1. Go to Applications > Applications, and click the icon.

      Result:

      The Add Application panel opens.

    2. In the Add Application section, enter the following information:

      • Application name: the PingOne administrator console SSO PingAccess (or another name that helps you recognize this connection).

      • Description (optional): Enter a brief description of this application that distinguishes it from others.

    3. In the Choose Application Type section, select OIDC Web App, and then click Save.

    4. In the application details panel, click the Configuration tab, and then click the Pencil icon.

    5. Locate the Redirect URIs field and enter the appropriate URL.

      Example:

      For example, https://<FQDNofPAServer>:9000/pa/oidc/cb, where <FQDNofServer> is the machine name or fully qualified domain name of your PingAccess server, such as https://localhost:9000/pa/oidc/cb.

    6. Click Save.

    7. On the Resources tab, click the Pencil icon.

    8. In the Scopes list, click or search for the Profile scope to add it to the Selected Scopes section.

      A screen capture of the Edit Resources page displaying the email and profile scopes in the list of allowed scopes.
    9. Click Save.

    10. On the Attribute Mapping tab, click the Pencil icon.

    11. Click the Add button and add the following attribute mappings.

      Attributes PingOne Mapping

      PingFed Admin Roles

      pf_admin_roles

    12. Click the Advanced Configurations button.

    13. For the attributes you just mapped, click the Required checkbox.

    14. Click Save.

  2. To enable the application, click the toggle to the on (blue) position.

  3. Add a new PingFederate administrator and define their role and responsibilities.

    If you already added an administrator when you set up SSO to PingFederate (Configuring PingOne, step 5), skip this step.

    1. Go to Directory > Users and click the icon.

    2. On the Add User panel, enter a user name for the PingFederate administrator that has the fullAdmin role.

    3. Click Save.

    4. In the user details panel, click the Roles > Administrator Roles tab, and then click the Grant Roles button.

    5. In Available Responsibilities, click PingFederate Administrator and select checkboxes for the organizations and environments where the administrator should have this role.

      A screen capture of the Available responsibilities to grant a user.
    6. Click PingFederate User Administrator and select checkboxes for the organizations and environments where the administrator should have this role.

    7. Click Save.

    8. Click the More Options (⋮) icon and select Reset Password.

    9. Select Force password reset on next sign on.

    10. Click Save.

  4. Select Applications > Applications and locate the application you created earlier.

  5. Click the application entry to open the details panel.

  6. On the Configurations tab, review the configuration information.

    You need this configuration property information to configure PingAccess for SSO, so you might want to keep this browser window open.

    A screen capture of the Configurations page, which displays configuration information for an application.

Configuring PingAccess

After configuring PingOne for SSO, configure PingAccess.

Steps

  1. In PingAccess, go to Settings > System > Token Provider.

  2. On the Token Provider page, in the Issuer URL field, enter the issuer URL for the connection you created in PingOne.

    Result:

    You see this URL on the Applications page in PingOne.

    A screen capture of the Token Provider page.
  3. Go to Settings > Admin UI Authentication > Authentication Method.

  4. On the Authentication Method page, select the Single Sign-On option and complete the fields with the following information:

    1. In the OpenID Connect Login Type field, select the Code option.

    2. In the Client ID field, enter the client ID for the connection you created in PingOne.

    3. In the Client Credentials Type field, select Secret and enter the client secret for the connection you created in PingOne. Click Save and Close.

      A screen capture of the Authentication Method page.
  5. Restart PingAccess.

Testing the sign-on experience to PingAccess

After configuring PingOne and PingAccess, test SSO to PingAccess.

Steps

  1. In PingOne, click the Ping Identity logo.

    Result:

    The admin console home page displays the environments to which you have access.

    A screen capture of the environment dashboard.
  2. Click the environment to open the details pane.

  3. Click Manage Environment to go to the Overview page for the environment.

  4. In the Services section, click the PingAccess icon.

    Result:

    The PingAccess administrator console opens.

    If the OpenID Connect token provider is unreachable, define a fallback administrator authentication method. In the /<PA_HOME>/conf/run.properties file, set the admin.auth property to native. Restart PingAccess.