Configuring admin UI SSO authentication - PingAccess - 7.0

PingAccess

bundle
pingaccess-70
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.0
category
Product
pa-70
pingaccess
ContentType_ce

Complete the configuration for connecting to the PingFederate OAuth authorization server on the PingFederate for PingAccess SSO configuration page.

You can configure roles for UI users. Each role grants access to specific features:

  • The Administrator role has full access to the UI, unless the Platform Administrator role is enabled. If the Platform Administrator role is enabled, the Administrator can't update authorization, user, or environment settings, but can use all other features.
  • The Platform Administrator role has full access to all features. This role can be used with the Administrator role to grant full access to most features without the possibility of accidental lockout, with only the Platform Administrator able to change authorization configurations.
  • The Auditor role can view the user interface but can't change the configuration.

To configure admin UI SSO:

  1. Click Settings and then go to Admin Authentication > UI Authentication.
  2. On the Authentication Method page, click Single Sign-On.
    Tip:

    To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.

  3. In the OpenID Connect Login Type list, select a sign-on type:
    • Code (default): The standard OIDC sign-on flow.
    • POST: A sign-on flow using the form_post response mode, which returns response parameters as application/x-www-form-urlencoded HTML form values.
    • x_post: A sign-on flow based on OIDC that passes claims from the provider through the browser using the implicit grant type.
  4. In the Client ID field, enter the unique identifier assigned when you created the PingAccess OAuth client within your OIDC token provider.
  5. Select a Client Credentials Type, then provide the information required for the selected credential type.

    This is required when configuring the Code sign-on type or if you enabled session validation.

    • Click Secret to use a client secret. In the Client Secret field, enter the client secret assigned when you created the OAuth relying party client in the token provider.
    • Click Mutual TLS to use Mutual TLS client authentication. In the Key Pair list, select a configured key pair to use for Mutual TLS client authentication.
    • Click Private Key JWT to use Private Key JSON web token (JWT). No additional information is needed.
    Info:

    The OAuth client you use with PingAccess web sessions must have an OIDC policy specified. For more information, see Configuring OpenID Connect Policies.

  6. Optional: If your environment requires an authentication requirements list, in the Authentication Requirements list, select a defined authentication requirements list or click Create to create a new list.
  7. Optional: In the Username Attribute Name field, enter the attribute from the ID token to be used as the display name in the user interface and included in the audit logs.

    If the attribute isn't specified or can't be found, the sub attribute is used.

  8. Optional: If you want to enable advanced settings, click Show Advanced and use one or more of the advanced options.
    Advanced OptionDescription
    Scopes

    Configure your token provider to handle all of the requested scopes you specify, including any custom scope values.

    • To request one or more scopes from the OIDC token provider, in the Scopes list, select one or more scopes.
      Note:

      If you configured a token provider, published scopes are available to select in the list based on the selected Client ID.

    • To specify unverified scopes, enter the scope and click Use unverified scope "[scopename]".
    Note:

    The user can access all attributes by examining browser traces. Although they're integrity-protected to prevent changes, you can view any sensitive or confidential attributes should the user decode the ID Token's value.

    Validate Session

    To validate sessions with the configured PingFederate instance during request processing, in the Validate Session options, click Yes.

    Note:

    This option is not supported by PingOne or third-party OIDC token providers.

    Refresh User Attributes
    1. To periodically refresh user data from the OIDC token provider, in the Refresh User Attributes options, click Yes.
    2. Specify a Refresh User Attributes Interval in seconds.
    Cache User Attributes

    To have PingAccess cache user attribute information for use in policy decisions, select the Cache User Attributes check box.

    Note:

    When this option is disabled, user attribute information is encoded and stored in the session cookie.

    Enable PKCE

    To have PingAccess send a SHA256 code challenge and corresponding code verifier as a Proof Key for Code Exchange during the code authentication flow, select the Enable PKCE check box.

    Note:

    The OpenID Connect Login Type must be set to Code for PingAccess to use PKCE.

    Use Single-Logout

    To enable the use of single logout (SLO), select the Use Single-Logout check box.

    Important:

    You must configure this option in the OIDC provider.

    Tip:

    If you're using PingFederate as a token provider, enable the Check For Valid Authentication Session in the PingFederate access token management configuration to prevent session replay.

  9. Optional: To enable role-based authorization:
    1. Click the Roles tab.
    2. To enable role-based authentication, select the Enable Roles check box.
    3. In the Administrator section, click Add Required Attribute for each attribute you want to add.

      For a role to be granted, all configured attribute values must match.

    4. Enter an Attribute Name and Attribute Value for each required attribute.
      Note:

      If you're using PingFederate as a token provider, the attribute name is defined in PingFederate under OAuth Settings > OpenID Connect Policy Management > Your_Policy > Attribute Contact as an extension to the contract.

      The value you use depends on the configuration of the Contract Fulfillment tab for the policy.

      The attribute named group in your attribute contract can be mapped to an LDAP server attribute source that contains a groupMembership attribute.

      A valid group membership for the administrator might be the group cn=pingaccess-admins,o=myorg. In this example, you should use group as the Attribute Name and cn=pingaccess-admins,o=myorg as the Attribute Value.

    5. Optional: To add platform administrators:
      1. Select the Enable Platform Administrator Role check box.
      2. Enter an Attribute Name and Attribute Value for each required attribute.
      3. Click Add Required Attribute to add a new attribute.
    6. Optional: To add auditors:
      1. Select the Enable Auditor Role check box.
      2. Enter an Attribute Name and Attribute Value for each required attribute.
      3. Click Add Required Attribute to add a new attribute.
  10. Click Save.
If you mis-configure admin UI SSO and are locked out, see Administrative SSO lockout for information about regaining access.