PingOne

Setting up SSO to PingFederate

To set up single sign-on (SSO) access for administrators from the admin console to the PingFederate administrative console, configure PingOne and PingFederate, and then test the sign-on experience.

Before you begin

Ensure that you have:

  • A licensed version of PingFederate 10.1.2 or later

  • A licensed version of PingOne

  • A text editor or terminal

  • The Environment Admin role in PingOne to set up SSO to PingFederate

For PingOne users to SSO to PingFederate, they must have one or more PingFederate-related roles in PingOne. You can assign roles in the PingOne admin console. Learn more in Administrator Roles and Managing user roles.

Steps

  1. On the Overview page, locate the PingFederate tile and click Configure Administrator SSO.

    A screen capture of the Configure PingFederate SSO tile.
  2. Enter the URL for the PingFederate administrative console.

    Example:

    https://<pf_host>:<pf_port>/pingfederate/app

    A screen capture of PingFederate SSO step 1.
  3. Click Save and Continue.

  4. Copy the provided OpenID Connect (OIDC) settings to the oidc.properties file on the PingFederate administrative server.

    A screen capture of the PingFederate SSO step 2.

    The following three unique parameters allow administrators to use SSO into PingFederate 11.2 or later from any PingOne environment if they have the proper administrator roles assigned for the environment. Learn more in Administrator Roles.

    Request Parameter Value

    request.parameter.name.1

    The request parameter’s name. The value is iss.

    This field is required. Do not use URL encoding for the name.

    request.parameter.default.value.1

    The default value of the request parameter. The value is the authorization endpoint of the current environment if the admin identity resides in the current environment.

    • If this parameter is not included in the request, the default value will be included in the authorization request.

    • If this parameter is not included in the request, and no default value is specified, the parameter will not be included in the authorization request.

    • This field is optional when request.parameter.overridable.1 is set to true.

    request.parameter.overridable.1

    Specifies whether the request parameter can be overridden at runtime. The value is set to true, which allows the admin identity’s home environment to override the value.

    This field is optional. Possible values are true or false. If not specified, the default is false.

    If this property is set to false, the request.parameter.default.value.1 will always be included in the authorization request and cannot be overridden.

  5. Click Next.

  6. Copy the provided run.properties file attribute value to the run.properties file on the PingFederate administrative server.

    A screen capture of PingFederate SSO step 3.
  7. Click Next.

  8. Click Close.

    A screen capture of PingFederate SSO step 4.
  9. Restart the PingFederate server.

Testing the sign-on experience to PingFederate

After configuring PingOne and PingFederate, test the sign-on experience to PingFederate.

Before you begin

You must have a PingFederate-related role to perform this task. For more information, see Administrator Roles.

Steps

  • On the Overview page, locate the PingFederate tile and click the PingFederate icon.

    Launch PingFederate admin console

    Result:

    The PingFederate administrative console opens.