Setting up SSO to PingFederate
To set up single sign-on (SSO) access for administrators from the admin console to the PingFederate administrative console, configure PingOne and PingFederate, and then test the sign-on experience.
Before you begin
Ensure that you have:
-
A licensed version of PingFederate 10.1.2 or later
-
A licensed version of PingOne
-
A text editor or terminal
-
The Environment Admin role in PingOne to set up SSO to PingFederate
For PingOne users to SSO to PingFederate, they must have one or more PingFederate-related roles in PingOne. You can assign roles in the PingOne admin console. Learn more in Administrator Roles and Managing user roles. |
Steps
-
On the Overview page, locate the PingFederate tile and click Configure Administrator SSO.
-
Enter the URL for the PingFederate administrative console.
Example:
https://<pf_host>:<pf_port>/pingfederate/app
-
Click Save and Continue.
-
Copy the provided OpenID Connect (OIDC) settings to the
oidc.properties
file on the PingFederate administrative server.The following three unique parameters allow administrators to use SSO into PingFederate 11.2 or later from any PingOne environment if they have the proper administrator roles assigned for the environment. Learn more in Administrator Roles.
Request Parameter Value request.parameter.name.1
The request parameter’s name. The value is
iss
.This field is required. Do not use URL encoding for the name.
request.parameter.default.value.1
The default value of the request parameter. The value is the authorization endpoint of the current environment if the admin identity resides in the current environment.
-
If this parameter is not included in the request, the default value will be included in the authorization request.
-
If this parameter is not included in the request, and no default value is specified, the parameter will not be included in the authorization request.
-
This field is optional when
request.parameter.overridable.1
is set totrue
.
request.parameter.overridable.1
Specifies whether the request parameter can be overridden at runtime. The value is set to
true
, which allows the admin identity’s home environment to override the value.This field is optional. Possible values are
true
orfalse
. If not specified, the default isfalse
.If this property is set to
false
, therequest.parameter.default.value.1
will always be included in the authorization request and cannot be overridden. -
-
Click Next.
-
Copy the provided run.properties file attribute value to the
run.properties
file on the PingFederate administrative server. -
Click Next.
-
Click Close.
-
Restart the PingFederate server.
Testing the sign-on experience to PingFederate
After configuring PingOne and PingFederate, test the sign-on experience to PingFederate.
Before you begin
You must have a PingFederate-related role to perform this task. For more information, see Administrator Roles.
Steps
-
On the Overview page, locate the PingFederate tile and click the PingFederate icon.
Result:
The PingFederate administrative console opens.