Before you can configure admin UI SSO authentication, you must:
- Configure the OIDC provider.
-
Import the OIDC token provider server certificate into a trusted certificate
group and associate that trusted certificate group with the OIDC token provider
runtime.
For more information, see Importing certificates.
-
If you're using PingFederate as the OIDC token
provider, set up a profile scope in PingFederate that includes the openid, profile,
address, email, and phone scope values.
For more information, see Configuring an OAuth client in the PingFederate documentation.
-
When you configure the client in PingFederate:
- The Client Authentication must be set to anything except
None
. - The Allowed Grant Types must be set to
Authorization Code
. - The Redirect URIs must include
https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb
. The default reserved application context root is/pa
. - If you're not using administrative roles in PingAccess, the OIDC
Policy should be set to a policy that
uses issuance criteria to restrict access based on some
additional criteria.Warning:
If the OIDC policy you select doesn't use issuance criteria to limit which users can be granted an access token, all users in the associated identity store configured in PingFederate can authenticate to the PingAccess administrative console and make changes.
For more information, see Identifying Issuance Criteria for Policy Mapping in the PingFederate Administrator's Manual.
- The Client Authentication must be set to anything except
-
If you plan to use Mutual TLS, you must make two
changes to the PingFederate
configuration:
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<pf_install>/pingfederate/bin/run.properties
file and setting the
pf.secondary.https.port
value to a port value. For more information, see the PingFederate documentation. - Modify the openid-configuration.template.json file to add the
mtls_endpoint_aliases
object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.
- Enable the use of the secondary HTTPS port in PingFederate by editing the
<pf_install>/pingfederate/bin/run.properties
file and setting the
-
When you configure the client in PingFederate: