Configuring OpenID Connect - PingAccess - 7.2

PingAccess

bundle
pingaccess-72
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.2
category
Product
pa-72
pingaccess
ContentType_ce

Configure OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. token provider settings in PingAccess.

  1. Click Settings and then go to System > Token Provider > Common > OpenID Connect.
  2. In the Issuer field, enter the OIDC provider’s issuer identifier.
  3. In the Description field, enter a description for the token provider.
  4. Select the Audit check box to record requests to OIDC provider to the audit store.
  5. From the Trusted Certificate Group list, select the group of certificates to use when authenticating to OIDC provider.

    PingAccess requires that the certificate in use by OIDC provider anchor to a certificate in the associated Trusted Certificate Group.

  6. If required, click + Add Query Parameter and enter custom query parameter name and value pairs used by the OIDC provider.
  7. To configure advanced settings, click Show Advanced.
    1. To use a configured proxy, select the Use Proxy check box.
      Note:

      If the node is not configured with a proxy, requests are made directly to the token provider. See Adding proxies for more information about creating proxies.

    2. Select Use Single-Logout to enable single logout (SLO) when the /pa/oidc/logout/ endpoint is accessed to clear the cookie containing the PingAccess token. If this option is selected, PingAccess sends a logout request to the token provider, which completes a full SLO flow.

      To use this feature, single logout (SLO)single logout (SLO)SLO The process of signing a user out of multiple sites where the user has started a single sign-on (SSO) session. must be configured on the OIDC provider.

    3. Select Request Supported Scopes Only to limit the requested scopes to those advertised in the OIDC metadata.
  8. Click Save.

Once you have successfully configured the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click View Metadata > Refresh Metadata.