Setting up SSO to PingCentral
To set up single sign-on (SSO) access from the admin console home page to PingCentral, configure PingOne and PingCentral, and then test the sign-on experience.
Ensure that you have:
-
A licensed version of PingCentral
-
A licensed version of PingOne
-
A text editor or terminal
When SSO is enabled for PingCentral, auto-provisioning is also enabled, which currently causes sign-on issues. New users are created during this process even if those users already have PingCentral accounts. |
See the following topics:
Configuring PingOne for SSO in PingCentral
Steps
-
In PingOne, add a new attribute to PingFederate administrator roles:
-
Go to Directory → User Attributes, and click the Add Attribute button.
Result:
The Select Attribute Type page opens.
-
On the Select Attribute Type page, select Declared, and then click Next.
Declared attributes maintain the values of the claims that authorize access to other products.
-
On the Set Attribute Properties page, enter the following information:
-
Name:
PingCentral-Role
(this value is case sensitive) -
Display name:
PingCentral Role
-
Description (Optional): Enter a brief description of this attribute that distinguishes it from others.
-
-
Click Save and Close.
-
-
Create a new connection:
-
Go to Applications → Applications, and click the icon.
Result:
The Add Application panel opens.
-
In the Name and Describe Application section, enter the following information:
-
Application name:
the PingOne administration console SSO PingCentral
(or another name that helps you recognize this connection). -
Description (Optional): Enter a brief description of this application that distinguishes it from others.
-
-
In the Choose Application Type section, select OIDC Web App, and then click Save.
-
In the application details panel, click the Configuration tab, and then click the pencil icon.
-
Locate the Redirect URIs field and enter the appropriate URL .
Example:
For example,
https://<FQDNofServer>:9022/login/oauth2/code/pingcentral
, where <FQDNofServer> is either the machine name or fully qualified domain name of your PingCentral server, such ashttps://localhost:9022/login/oauth2/code/pingcentral
. -
Click Save.
-
Click the Resources tab, and then click the pencil icon.
-
In the Scopes list, locate Profile scope. Click the icon to add it to the Allowed Scopes section .
The
openid
scope is included by default. -
Click Save.
-
Click the Attribute Mapping tab, and then click the pencil icon.
-
Click the Add button and add the following attribute mappings.
Attributes PingOne PingOneMapping PingCentral Role
PingCentral-Role(this option is case sensitive)
-
Click the Advanced Configurations button.
-
For the PingCentral Role attribute, select the Required check box.
-
Click Save.
-
-
To enable the application, click the toggle switch to the on (blue) position.
-
Add a new PingCentral administrator and define their role and responsibilities.
-
Go to Directory → Users, and click the icon.
-
On the Add User panel, enter the following information:
-
Given Name and Family Name: Enter the user’s name in these fields.
-
Username: Enter a username for the PingCentral administrator who has the IAM-Admin role.
Username is the only required field.
-
-
Click Save.
-
In the user details panel, click the Roles → Administrator Roles tab and click the Grant Roles button.
-
In Available Responsibilities, click Client Application Developer and select checkboxes for the organizations and environments where the administrator should have this role.
-
Click Identity Data Admin and select checkboxes for the organizations and environments where the administrator should have this role.
-
In the More Options menu (three dots), click Reset Password.
-
Select Force Password reset on next sign on.
-
Click Save.
-
-
Select Applications → Applications, and locate the application you created earlier.
-
Click the application entry to open the details panel.
-
Click the Configuration tab and review the configuration information.
You need this configuration property information to configure PingCentral for SSO, so keep this browser window open.
Next steps
To continue the configuration, see Configuring PingCentral.
Configuring PingCentral
After configuring PingOne for SSO, configure PingCentral.
Steps
-
Using a text editor, open the
<pc-path>conf/application.properties
file. -
Use the configuration information on the PingOne Applications page to update the following values in the
application.properties
file.Watch for unwanted line breaks when pasting values into this file.
PingOne PingOneattribute application.properties file attribute Attribute Example pingcentral.sso.oidc.enabled
true
pingcentral.sso.oidc.enabled=true
Issuer
pingcentral.sso.oidc.issuer-uri
Issuer
pingcentral.sso.oidc.issuer-uri=https://auth.pingone.com/3c2f30a3-7a92-406e-b8f2-6a181e56f46b/as
Client ID
pingcentral.sso.oidc.client-id
Client ID
pingcentral.sso.oidc.client-id=5be9323a-e953-4aa6-8db3-5f4113a73f83
Client Secret
pingcentral.sso.oidc.client-secret
Client Secret
pingcentral.sso.oidc.client-secret=cigVeh5py8IC2~ViGMmM3sslpYyMLCWr5SnmjXwvHUG-r4CYjtoOMAlNSPqZ4bc9
-
Save and close the file.
-
Restart PingCentral.
Next steps
To test the sign-on experience, see Testing the sign-on experience to PingCentral.
Testing the sign-on experience to PingCentral
After configuring PingOne and PingCentral, test the sign-on experience to PingCentral.
Steps
-
In the admin console sidebar, click the Ping Identity logo to open the Environments page and browse or search for the applicable environment.
-
Click the environment to open the details pane.
-
Click Manage Environment to go to the Overview page for the environment.
-
In the Services section, click the PingCentral icon.
Result:
The PingCentral admin console opens.