Preparing to configure admin UI SSO authentication - PingAccess - 7.3

PingAccess

bundle
pingaccess-73
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.3
category
Product
pa-73
pingaccess
ContentType_ce

Before you can configure admin UI SSO authentication, you must:

  1. Configure the OIDC provider.
  2. Import the OIDC token provider server certificate into a trusted certificate group and associate that trusted certificate group with the OIDC token provider runtime.

    For more information, see Importing certificates.

  3. If you're using PingFederate as the OIDC token provider, set up a profile scope in PingFederate that includes the openid, profile, address, email, and phone scope values.

    For more information, see Configuring an OAuth client in the PingFederate documentation.

    1. When you configure the client in PingFederate:
      • The Client Authentication must be set to anything except None.
      • The Allowed Grant Types must be set to Authorization Code.
      • The Redirect URIs must include https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb. The default reserved application context root is /pa.
      • If you're not using administrative roles in PingAccess, the OIDC Policy should be set to a policy that uses issuance criteria to restrict access based on some additional criteria.
        Warning:

        If the OIDC policy you select doesn't use issuance criteria to limit which users can be granted an access token, all users in the associated identity store configured in PingFederate can authenticate to the PingAccess administrative console and make changes.

        For more information, see Identifying Issuance Criteria for Policy Mapping in the PingFederate Administrator's Manual.

    2. If you plan to use Mutual TLS, you must make two changes to the PingFederate configuration:
      1. Enable the use of the secondary HTTPS port in PingFederate by editing the <pf_install>/pingfederate/bin/run.properties file and setting the pf.secondary.https.port value to a port value. For more information, see the PingFederate documentation.
      2. Modify the openid-configuration.template.json file to add the mtls_endpoint_aliases object, with content defined by RFC-8705. For more information about this file, see the PingFederate documentation.