The steps below explain how to configure PingOne so that you can use SSO in PingOne to access the PingAuthorize administration console.
You can use groups to organize user identities as explained in Groups. Also, you can set access to applications as explained in Application access control.
-
In the PingOne administration console, add a PingAuthorize Server service to one of the
existing environments. Alternatively, add a custom environment solely for a
PingAuthorize Server service.
- When prompted, select the It's already been deployed option.
-
Provide
https://<hostname>:<port>/console/login
as the value for the Admin URL, filling in the bracketed values with the
PingAuthorize server's hostname
and HTTP port.
Tip:
By binding to the LDAP server, you can use a single console instance to administer multiple PingAuthorize servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO.
You can specify the LDAP server to bind to using the query parameters
ldap-hostname
andldaps-port
when the administrative console is configured for SSO. Using these parameters, you can specify the URL as follows:https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
-
Configure the matching administrator accounts for PingOne and the PingAuthorize server. Go to the PingOne dashboard for the environment that will
be used with the PingAuthorize server.
Repeat the following steps for each PingOne
user for which you wish to enable SSO.
-
Locate the desired user under the Identities
tab. For the example purposes, we will assume the desired PingOne user has the following
properties:
- Given name: Jane
- Family name: Smith
- Username: jsmith
-
Run the following dsconfig command against the
PingAuthorize server, filling
in the bracketed field with the previously located PingOne user's
Username value.
dsconfig create-root-dn-user --user-name jsmith \ --set first-name:Jane \ --set last-name:Smith
-
Locate the desired user under the Identities
tab. For the example purposes, we will assume the desired PingOne user has the following
properties:
-
Register the administrative console with PingOne. Follow the instructions for Adding an application and select OIDC Web
App for Application Type. Configure the
application properties as shown in the following list:
- Application name: PingAuthorize administrative console
- Description: Application for the PingAuthorize administrative console
- Redirect URLs: https://<hostname>:<port>/console/oidc/cb
- Attribute mapping:
Username
=sub
Note:Fill in the bracketed values in redirect URLs with the PingAuthorize server's hostname and HTTP port, similar to Step 2.
-
Edit the listed properties for the newly created application so that the
properties have the values show in the following list, following the
instructions in Editing an application - OIDC in the PingOne Administration Guide.
- Response type: Code
- Grant type: Authorization code
- Token endpoint authentication method: Client secret basic
-
Note the values for the following application properties to use in later
steps:
- Issuer
- Client ID
- Client Secret
- Locate the enable-pingone-admin-console-sso.dsconfig file in the PingAuthorize/config/sample-dsconfig-batch-files/ directory. Make a copy of it, and edit the copy rather than the source file.
-
Replace all the bracketed values in the batch file with the corresponding
values from step 5. Then run the file using the following command.
dsconfig --batch-file \ enable-pingone-admin-console-sso-copy.dsconfig \ --no-prompt
- Click the link to the PingAuthorize server from the PingOne solutions home page. A PingOne login page should appear. After you provide credentials, you should see the administrative console index page.