Configuring PingFederate for PingAccess SSO - PingAccess - 7.2


PingAccess 7.2

Configure PingFederate to enable administrator single sign-on (SSO)single sign-on (SSO)sso The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating. for PingAccess.

You must do one of the following:

To enable administrator SSO to PingAccess, configure the following settings within the PingFederate OAuth authorization server (AS)OAuth authorization server (AS)OAuth AS The authorizing service in an OAuth framework that issues and manages access tokens for clients to access protected resources..


This document doesn't cover all the required steps for each PingFederate OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. settings page, only the fields that are necessary for successful SSO to the PingAccess administrative console.

For more detailed configuration information on the PingFederate OAuth settings pages, see Using OAuth Menu Selections.

  1. In PingFederate, go to System > Server > Protocol Settings > Roles and Protocols and configure the following roles and protocols:
    1. Select the OAuth 2.0 AS federation role and the OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. protocol as described in step 2 of Choosing roles and protocols.
    2. Select the IdP Provider federation role and a corresponding protocol as described in step 2 of Choosing roles and protocols.
  2. Create a Password Credential Validator (PCV) to authenticate administrative users.
  3. On the IdP Adapters page, create an HTML Form IdP Adapter and specify the PCV that you configured in step 2 of this procedure.

    For more information, see Configuring an HTML Form Adapter instance.

  4. On the Authorization Server Settings page, select the Implicit check box in the Reuse Existing Persistent Access Grants for Grant Types section.

    For more information, see Configuring authorization server settings.

  5. Configure access token management:
    1. Go to Access Token Management > Type and in the Type list, select Internally Managed Reference Tokens.
    2. On the Access Token Attribute Contract page, add the Username attribute to extend the contract.

    For more information, see Access token management.

  6. Configure OpenID Connect Policy Management.

    Create an OIDC policy to use specifically for PingAccess administrative console authentication.

    For more information, see Configuring OpenID Connect policies.

    1. On the Attribute Contract tab, delete all of the attributes that appear in the Extend the Contract section.

      The only required attribute is sub.

    2. On the Contract Fulfillment tab, in the Source list, select Access Token, and in the Value list, select Username.
  7. Configure Client Management.

    Create a client to use specifically for PingAccess administrative console authentication.

    For more information, see Managing OAuth clients.

    1. In the Client Authentication list, select an option other than None.
    2. Add the location of the PingAccess host as a Redirection URI.

      For example, https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb.

    3. In the Allowed Grant Type list, select Authorization Code.
    4. In the ID Token Signing Algorithm list, select one of the elliptic curve (ECDSA) algorithms, and in the Policy list, select the OIDC policy to use for PingAccess administrative console authentication.
  8. To configure IdP Adapter Mapping, map the HTML Form IdP Adapter Username value to the USER_KEY and the USER_NAME contract attributes for the persistent grant and the user's display name on the authorization page, respectively.

    For more information, see Managing IdP adapter grant mapping.

  9. To configure Access Token Mapping, on the Contract Fulfillment tab, map values into the token attribute contract for the Username attribute:
    1. In the Source list, select Persistent Grant.
    2. In the Value list, select USER_KEY.

    These are the attributes included or referenced in the access tokenaccess token A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources..

    For more information, see Managing access token mappings.

To finish configuring administrator SSO, see Configuring admin UI SSO authentication.