To enable administrator SSO to PingAccess, configure the following settings within the PingFederate authorization server. Click the icon ( ) next to each section heading to access additional configuration information. For example, click next to Roles and Protocols to open a new window and view the Choosing Roles and Protocols page of the PingFederate documentation.


The following information is an example configuration and does not cover all required steps for each PingFederate OAuth Settings page discussed, only fields necessary for successful SSO to the PingAccess administrative console. Fields not mentioned are not necessary for this configuration. For configuration details of the PingFederate OAuth settings pages, see Using OAuth Menu Selections.


You must complete the configuration for connecting to the PingFederate OAuth authorization server instance you plan to use. For more information, see Configuring PingFederate administration.

Roles and Protocols

  • Enable the OAuth 2.0 AS role and the OpenID Connect (OIDC) protocol.
  • Enable the identity provider (IdP) Provider role and a protocol.
Password Credential Validator (PCV)
  • Create a PCV for authenticating administrative users.
  • Create an HTML Form IdP Adapter and specify the PCV you configured.
Authorization Server Settings
  • Select Implicit in the Reuse Existing Persistent Access Grants for Grant Types section.
Access Token Management
  • Select Internally Managed Reference Tokens as the Access Token Management Type.
  • Extend the contract by adding the Username attribute on the Access Token Attribute Contract page.
OpenID Connect Policy Management

Create an OIDC Policy to use specifically for PingAccess administrative console authentication.

  • Delete all of the attributes that appear in the Extend the Contract section of the Attribute Contract page. The only required attribute is sub.
  • Select Access Token as the Source and Username as the Value on the Contract Fulfillment page.
Client Management

Create a Client to use specifically for PingAccess administrative console authentication.

  • Select an option other than None for Client Authentication.
  • Add the location of the PingAccess host as a Redirect URI. For example, https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb.
  • Select Authorization Code as an Allowed Grant Type.
  • Select one of the elliptic curve (ECDSA) algorithms as the OIDC ID Token Signing Algorithm and select the OIDC Policy to use for PingAccess administrative console authentication.
IdP Adapter Mapping
  • Map the HTML Form IdP Adapter Username value to the USER_KEY and the USER_NAME contract attributes for the persistent grant and the user's display name on the authorization page, respectively.
Access Token Mapping
  • Map values into the token attribute contract by selecting Persistent Grant as the Source and USER_KEY as the value for the Username attribute. These are the attributes included or referenced in the access token.