Ensure that you have:

  • A server that accepts LDAPS connections

    This server will host the admin console that is being configured for SSO.

  • A account

    For more information, see Getting started with .

Tip:

You can use groups to organize user identities, as explained in Groups. You can also set access to applications, as explained in Application access control.

During this setup:

To set up SSO to the administrative console from :

  1. From the admin console home page, add and :
    • To add a new environment for SSO and :
      1. On the console home page, click Add Environment.
      2. Select Customer solution, and then click Next.
      3. Click Next.
      4. Enter an Environment Name and Description, then in the labeled lists, select an Environment Type, Region, and License.
      5. Click Finish.

        SSO, Risk, Verify, and MFA are automatically deployed.


        A screen capture of the admin console Create Environment page showing SSO will be automatically deployed.
      6. On the console home page, in the Your Environments list, select your new environment, and then click the + icon.
      7. Click Add next to .
        Note:

        Services that have been already added have a green check mark icon next to the service name instead of + Add.

      8. Click Finish.
    • To add SSO and to an existing environment:
      1. On the console home page, in the Your Environments list, select the environment, and then click the + icon.
      2. Click Add next to SSO and .
        Note:

        Services that have been already added have a green check mark icon next to the service name instead of + Add.

      3. Click Finish.
    1. Click Add Admin UI Link, and in the Enter Admin URL field, enter https://<hostname>:<port>/console/login, replacing the bracketed variables with the server's hostname and HTTP port.
      Tip:
      You can specify the LDAP server to bind to using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple servers. An LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows.
      https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
    2. Click Save.
  2. To configure the matching administrator accounts for and the server, go to the dashboard for the environment that will be used with the server and repeat the following steps for each user for whom you want to enable SSO:
    1. On the admin console home page, select the appropriate environment and click the icon.
    2. In , go to Identities.
    3. Select the administrative user you want to configure and click the Expand icon.
    4. Run the following dsconfig command and replace the bracketed fields with the values of the administrative user. 
      ~/<pd_install>/dsconfig create-root-dn-user --user-name <Username> \
  --set first-name:<Given Name> \
  --set last-name:<Family Name>
  3. Register the admin console with .
    1. Go to Add an application - Web application and follow the instructions in the Add an OIDC application subsection.
    2. Enter the application properties, as shown in this table.
    Property Value

    Application Name

    administrative console

    Description

    Application for the administrative console

    Redirect URLs

    https://<hostname>:<port>/console/oidc/cb

    Note:
    Replace the bracketed values in Redirect URLs with your server's hostname and HTTP port. To find the port, run the status command from the bin directory.
    0.0.0.0:11443 : HTTPS    : Enabled  : HTTPS Connection Handler

    Attribute Mapping

    'Username' = 'sub'
    Note:

    No OIDC scopes are required for to grant access to the administrative console.

  4. Select the newly-created Administrative Console application in the Applications list, and go to the Configuration tab.
  5. To edit the listed configuration properties, click the Pencil icon.

    Edit the configuration properties using the values in this table.

    Property Value

    Response Type

    Select the Code check box.

    Grant Type

    Select the Authorization Code check box.

    Token Endpoint Authentication Method

    Click Client Secret Basic.
    Note:

    For more information about updating the properties of your new application, see Edit an application - OIDC in the Administration Guide.

  6. Click Save.
  7. Click the toggle to enable user access to the application.
  8. On the Configuration tab, record the values for these application properties to use in step 10:
    • Issuer
    • Client ID
    • Client Secret
  9. Create a copy of the PingDirectory/config/sample-dsconfig-batch-files/enable-pingone-admin-console-sso.dsconfig file, leaving the source file as-is.
  10. Open the copy of the file and replace the bracketed values with the values from step 8. 
    # Create an ID token validator suitable for verifying ID tokens generated
# by the PingOne service. The "All Admin Users" identity mapper will be used
# to match users that authenticate with PingOne to either root DN users or
# topology admin users defined in the server configuration.
dsconfig create-id-token-validator \
--validator-name "PingOne ID Token Validator" \
--type ping-one \
--set enabled:true \
--set "identity-mapper:All Admin Users" \
--set evaluation-order-index:1 \
--set issuer-url:[PING_ONE_APPLICATION_ISSUER_URL]

[...]

# Configure the Administrative Console with your application's client
# credentials and issuer URI.
dsconfig set-web-application-extension-prop \
--extension-name Console \
--set sso-enabled:true \
--set oidc-client-id:[PING_ONE_APPLICATION_CLIENT_ID] \
--set oidc-client-secret:[PING_ONE_APPLICATION_CLIENT_SECRET] \
--set oidc-issuer-url:[PING_ONE_APPLICATION_ISSUER_URL]
  11. Run the file using the following command. 
    dsconfig --batch-file \
    enable-pingone-admin-console-sso-copy.dsconfig \
    --no-prompt
  12. Select the link to the server from the solutions home page.

    A sign-on page opens.

  13. Sign on using the administrative user credentials.

    The server administrative console home page opens.