Configure single sign-on (SSO) for the administrative user interface in PingAccess.
To enable SSO, there are several configuration steps required within the OpenID Connect (OIDC) token provider and PingAccess that you must complete. You can expand a section to view those configurations. You can configure the administrative SSO option to require a specific authentication mechanism, leveraging the OIDC token provider Requested AuthN Context Selector using the PingAccess authentication requirements options.
- The OIDC provider configuration must be completed. See the configuration instructions for your OIDC token provider:
- The OIDC token provider server certificate must be imported into a trusted certificate group, and that trusted certificate group must be associated with the OIDC token provider runtime.
- If you are using PingFederate, you must have a profile scope set up in PingFederate that includes the openid, profile, address, email, and phone scope values. For more information, see the PingFederate documentation for configuring an OAuth client.
If you are using PingFederate as the OIDC token provider, when you configure the client in PingFederate, use the following options:
- The Client Authentication must be set to anything but
None
. - The Allowed Grant Types must be set to
Authorization Code
. - The Redirect URIs must include
https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb
. The default reserved application context root is/pa
. - If you are not using administrative roles in PingAccess, the OIDC
Policy should be set to a policy that uses issuance
criteria to restrict access based on some additional criteria. Warning:
If the selected OIDC policy does not use issuance criteria to limit which users can be granted an access token, all users in the associated identity store configured in PingFederate can authenticate to the PingAccess Admin console and make changes. For more information, see Identifying Issuance Criteria for Policy Mapping in the PingFederate Administrator's Manual.
If you are using PingFederate as the OIDC token provider and plan to use Mutual TLS, you must make two changes to the PingFederate configuration.
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<PF_HOME>/pingfederate/bin/run.properties
file and setting the
pf.secondary.https.port
value to a port value. For more information, see the PingFederate documentation. - Modify the openid-configuration.template.json to add the
mtls_endpoint_aliases
object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
Use the SSO authentication page in PingAccess to enter the client ID for the OAuth client you created in the OIDC token provider.
Complete the configuration for connecting to the PingFederate OAuth authorization server on the PingFederate for PingAccess SSO configuration page and complete the steps below.
You can configure roles for UI users. Each role grants access to specific features.
- The Administrator role has full access to the UI, unless the Platform Administrator role is enabled. If the Platform Administrator role is enabled, the Administrator cannot update authorization, user, or environment settings, but can use all other features.
- The Platform Administrator role has full access to all features. This role can be used with the Administrator role to grant full access to most features without the possibility of accidental lockout, with only the Platform Administrator able to change authorization configurations.
- The Auditor role can view the user interface but cannot change the configuration.