Configuring token provider-specific options - PingAccess - 8.0


PingAccess 8.0 (Latest)

Configure plugins that perform particular functions for the selected token provider type.

In order to configure these options, you must first perform the steps detailed in Creating Azure AD Graph API applications.

In the case of the PingAccess for Azure AD solution, the plugin addresses the following problems:

  • Data Transformation— The format of data returned from the OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. UserInfo endpointendpoint One end in a communication channel, typically a URI. results in some unexpected JSONJSON (JavaScript Object Notation) An open, lightweight data-interchange format that uses human-readable text to store and transmit data. formatting. This data transforms into a format that PingAccess can easily process.
  • Azure AD Graph application programming interface (API)application programming interface (API) A specification of interactions available for building software to access an application or service. usage— If the groups attribute contains more than 200 groups, the id_token contains a level of indirection that points to a URLURLURL (Uniform Resource Locator) Identifies a resource according to its Internet location. in the Azure AD Graph API. Through the creation of a simple purpose-driven application, you can communicate with the Azure ID Graph API to retrieve the complete list of groups.
  • Retrieving group display names— The groups attribute is a list of GUIDs. The groups for a user are only provided as GUIDs since user-friendly names for Azure AD groups are not globally unique. Configure the Graph API call to include the group names along with the GUID for creation of more robust policies.
  1. Click Settings and then go to System > Token Provider > Common > OpenID Connect.
    1. Go to Settings > System > Token Provider and select Common Token Provider .
  2. Go to Token Provider Specific Options section.
  3. From the Type list, select Azure Active Directory.
  4. To extend the attributes for a web session, select the Use Azure AD Graph API check box.
  5. In the Client ID field, enter the application ID you copied from the Azure AD API application you created.
  6. In the Client Secret field, paste the key you copied. Select Retrieve Group Display Names.

    To retrieve group data for a particular application in the token, the manifest for that application must be modified to include a group membership claim. In the App Registrations blade, select the application and click the Manifest button. Locate the groupMembershipClaims API, select the following permission, and enter and specify a group type, such as SecurityGroup.

  7. Select Cache Group Display Names to instruct PingAccess to cache display names retrieved from the Azure AD Graph API.
  8. In the Display Name Cache Max Age (s) field, enter the number of seconds to cache group display names if caching is enabled. Click Save.