Page created: 27 Jul 2021
|
Page updated: 14 Jan 2022
| 2 min read
7.0 PingAccess Product IT Administrator Administrator Audience Product documentation Content Type Configuration User task Single Sign-on (SSO) Capability LDAP Standards, specifications, and protocols
Before you can configure admin UI SSO authentication, you must:
- Configure the OIDC provider:
-
Import the OIDC token provider server certificate into a trusted certificate
group and associate that trusted certificate group with the OIDC token provider
runtime.
For more information, see Importing certificates.
-
If you are using PingFederate, set up a
profile scope in PingFederate that includes the openid, profile,
address, email, and phone scope values.
For more information, see the PingFederate documentation for configuring an OAuth client.
-
If you're using PingFederate as the
OIDC token provider, when you configure the client in PingFederate:
- The Client Authentication must be set to
anything but
None
. - The Allowed Grant Types must be set to
Authorization Code
. - The Redirect URIs must include
https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb
. The default reserved application context root is/pa
. - If you're not using administrative roles in PingAccess, the OIDC
Policy should be set to a policy that
uses issuance criteria to restrict access based on some
additional criteria.Warning:
If the selected OIDC policy does not use issuance criteria to limit which users can be granted an access token, all users in the associated identity store configured in PingFederate can authenticate to the PingAccess Admin console and make changes.
For more information, see Identifying Issuance Criteria for Policy Mapping in the PingFederate Administrator's Manual.
- The Client Authentication must be set to
anything but
-
If you're using PingFederate as the OIDC token provider and
plan to use Mutual TLS, you must make two changes
to the PingFederate configuration:
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<PF_HOME>/pingfederate/bin/run.properties
file and setting the
pf.secondary.https.port
value to a port value. For more information, see the PingFederate documentation. - Modify the
openid-configuration.template.json to
add the
mtls_endpoint_aliases
object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<PF_HOME>/pingfederate/bin/run.properties
file and setting the
-
If you're using PingFederate as the
OIDC token provider, when you configure the client in PingFederate: