Configure PingFederate to enable administrator
You must do one of the following:
To enable administrator SSO to PingAccess,
configure the following settings within the PingFederate
This document doesn't cover all the required steps for each PingFederate
For more detailed configuration information on the PingFederate OAuth settings pages, see Using OAuth Menu Selections.
In PingFederate, go to and configure the following roles and protocols:
Select the OAuth 2.0 AS federation role and the
OpenID Connect (OIDC)protocol as described in step 2 of Choosing roles and protocols. OpenID Connect (OIDC) OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.
- Select the IdP Provider federation role and a corresponding protocol as described in step 2 of Choosing roles and protocols.
- Select the OAuth 2.0 AS federation role and the
Create a Password Credential Validator (PCV) to
authenticate administrative users.
For more information, see Configuring the simple username password credential validator.
On the IdP Adapters page, create an HTML Form IdP Adapter and
specify the PCV that you configured in step 2 of this procedure.
For more information, see Configuring an HTML Form Adapter instance.
On the Authorization Server Settings page, select the
Implicit check box in the Reuse Existing
Persistent Access Grants for Grant Types section.
For more information, see Configuring authorization server settings.
Configure access token management:
- Go to Type list, select Internally Managed Reference Tokens. and in the
On the Access Token Attribute Contract page, add the
Usernameattribute to extend the contract.
For more information, see Access token management.
Configure OpenID Connect Policy Management.
Create an OIDC policy to use specifically for PingAccess administrative console authentication.
For more information, see Configuring OpenID Connect policies.
On the Attribute Contract tab, delete all of the
attributes that appear in the Extend the Contract
The only required attribute is
- On the Contract Fulfillment tab, in the Source list, select Access Token, and in the Value list, select Username.
- On the Attribute Contract tab, delete all of the attributes that appear in the Extend the Contract section.
Configure Client Management.
Create a client to use specifically for PingAccess administrative console authentication.
For more information, see Managing OAuth clients.
- In the Client Authentication list, select an option other than None.
Add the location of the PingAccess host
as a Redirection URI.
https://<PA_Admin_Host>:<PA_Admin_Port>/<reserved application context root>/oidc/cb.
- In the Allowed Grant Type list, select Authorization Code.
- In the ID Token Signing Algorithm list, select one of the elliptic curve (ECDSA) algorithms, and in the Policy list, select the OIDC policy to use for PingAccess administrative console authentication.
To configure IdP Adapter Mapping, map the HTML
Form IdP Adapter Username value to the
USER_NAMEcontract attributes for the persistent grant and the user's display name on the authorization page, respectively.
For more information, see Managing IdP adapter grant mapping.
To configure Access Token Mapping, on the
Contract Fulfillment tab, map values into the token
attribute contract for the
- In the Source list, select Persistent Grant.
- In the Value list, select USER_KEY.
To finish configuring administrator SSO, see Configuring admin UI SSO authentication.