Before you can configure admin UI SSO authentication, you must:

  1. Configure the OIDC provider:
  2. Import the OIDC token provider server certificate into a trusted certificate group and associate that trusted certificate group with the OIDC token provider runtime.
    For more information, see Importing certificates.
  3. If you are using PingFederate, set up a profile scope in PingFederate that includes the openid, profile, address, email, and phone scope values.

    For more information, see the PingFederate documentation for configuring an OAuth client.

    1. If you're using PingFederate as the OIDC token provider, when you configure the client in PingFederate:
      • The Client Authentication must be set to anything but None.
      • The Allowed Grant Types must be set to Authorization Code.
      • The Redirect URIs must include https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb. The default reserved application context root is /pa.
      • If you're not using administrative roles in PingAccess, the OIDC Policy should be set to a policy that uses issuance criteria to restrict access based on some additional criteria.
        Warning:

        If the selected OIDC policy does not use issuance criteria to limit which users can be granted an access token, all users in the associated identity store configured in PingFederate can authenticate to the PingAccess Admin console and make changes.

        For more information, see Identifying Issuance Criteria for Policy Mapping in the PingFederate Administrator's Manual.

    2. If you're using PingFederate as the OIDC token provider and plan to use Mutual TLS, you must make two changes to the PingFederate configuration:
      • Enable the use of the secondary HTTPS port in PingFederate by editing the <PF_HOME>/pingfederate/bin/run.properties file and setting the pf.secondary.https.port value to a port value. For more information, see the PingFederate documentation.
      • Modify the openid-configuration.template.json to add the mtls_endpoint_aliases object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.