PingOne

Setting up SSO to PingFederate

To set up access for administrators from the PingOne admin console to the PingFederate administrative console, configure PingOne and PingFederate and test the sign-on experience.

Before you begin

Ensure that you have:

  • A licensed version of PingFederate 10.1.2 or later

  • A PingOne account

  • A text editor or terminal

  • The Environment Admin role assigned in PingOne

For PingOne users to use SSO to PingFederate, they must have one or more PingFederate-related roles in PingOne. You can assign roles in the PingOne admin console. Learn more in Administrator Roles and Managing user roles.

Steps

  1. In the PingOne admin console, go to the Overview page.

  2. Locate the PingFederate tile and click Configure Administrator SSO.

    A screen capture of the Configure PingFederate SSO tile.

  3. Enter the URL for the PingFederate administrative console.

    Example:

    https://<pf_host>:<pf_port>/pingfederate/app

    A screen capture of PingFederate SSO step 1.

  4. Click Save and Continue.

  5. Copy the provided settings to the oidc.properties file on the PingFederate administrative server.

    A screen capture of the PingFederate SSO step 2.

    The following three unique parameters allow administrators to use SSO into PingFederate 11.2 or later from any PingOne environment if they have the proper administrator roles assigned for the environment. Learn more in Administrator Roles.

    For PingFederate 11.1 or earlier, the administrator’s identity must exist in the same PingOne environment as the SSO configuration, and these parameters can’t be used.
    Request Parameter Value

    request.parameter.name.1

    The request parameter’s name. The value is iss.

    This field is required. Do not use URL encoding for the name.

    request.parameter.default.value.1

    The default value of the request parameter. The value is the authorization endpoint of the current environment if the administrator identity resides in the current environment.

    • If this parameter isn’t included in the request, the default value is included in the authorization request.

    • If this parameter isn’t included in the request, and no default value is specified, the parameter isn’t included in the authorization request.

    • This field is optional when request.parameter.overridable.1 is set to true.

    request.parameter.overridable.1

    Specifies whether the request parameter can be overridden at runtime. The value is set to true, which allows the administrator identity’s home environment to override the value.

    This field is optional. Possible values are true or false. If not specified, the default is false.

    If this property is set to false, the request.parameter.default.value.1 is always included in the authorization request and can’t be overridden.

  6. Click Next.

  7. Copy the provided run.properties file attribute value to the run.properties file on the PingFederate administrative server.

    A screen capture of PingFederate SSO step 3.

  8. Click Next.

  9. Click Close.

    A screen capture of PingFederate SSO step 4.

  10. Restart the PingFederate server.

Testing SSO to PingFederate

After configuring PingOne and PingFederate, test the sign-on experience to PingFederate.

Before you begin

You must have a PingFederate-related role to perform this task. Learn more in Administrator Roles.

Steps

  • In the PingOne admin console, on the Overview page, locate the PingFederate tile and click the PingFederate icon.

    Launch PingFederate admin console

    Result:

    The PingFederate administrative console opens.