You should have already set up the PingData server that will be administered. This server will host the the PingOne administration console console that is being configured for SSO.
Tip:

You can use groups to organize user identities as explained in Groups. Also, you can set access to applications as explained in Application access control.

  1. In the PingOne administration console, add a link to the PingOne solutions home page. You can do this by adding a PingDirectory Server or PingAuthorize Server service to one of the existing environments or by adding a custom environment solely for a PingDirectory Server or PingAuthorize Server service.
    1. When prompted, select the It's already been deployed option.
    2. Provide "https://<hostname>:<port>/console/login" as the value for the Admin URL, filling in the bracketed values with the PingData server's hostname and HTTP port.
      Tip:
      You can specify the LDAP server to bind to using the query parameters ldap-hostname and ldaps-port when the Administrative Console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingData servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows:
      https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
  2. Configure the matching administrator accounts for PingOne and the PingData server. Go to the PingOne dashboard for the environment that will be used with the PingData server. Repeat the following steps for each PingOne user for which you wish to enable SSO.
    1. Locate the desired user under the Identities tab. For the example purposes, we will assume the desired PingOne user has the following properties.
      Given Name Jane
      Family Name Smith
      Username jsmith
    2. Run the following dsconfig command against the PingData server, filling in the bracketed field with the previously located PingOne user's Username value.
      dsconfig create-root-dn-user --user-name jsmith \
        --set first-name:Jane \
        --set last-name:Smith
  3. Register the Administrative Console with PingOne. Go to Add an application - Web application and follow the instructions in the "Add an OIDC application" subsection. The application properties should be as shown in the following table.
    Property Value
    Application Name PingData Administrative Console
    Description Application for the PingData Administrative Console
    Redirect URLs https://<hostname>:<port>/console/oidc/cb
    Attribute Mapping 'Username' = 'sub'
    Note:

    Fill in the bracketed values in redirect URLs with the PingData server's hostname and HTTP port, similar to Step 2.

  4. Edit the listed properties for the newly created application so that the properties have the values show in the following table, following the instructions in Edit an application - OIDC in the PingOne Administration Guide.
    Property Value
    Response Type Code
    Grant Type Authorization Code
    Token Endpoint Authentication Method Client Secret Basic
  5. Note the values for the following application properties to use in later steps:
    • Issuer
    • Client ID
    • Client Secret
  6. Locate the enable-pingone-admin-console-sso.dsconfig file in the PingDirectory/config/sample-dsconfig-batch-files/ directory. Make a copy of it, and edit the copy rather than the source file.
  7. Replace all the bracketed values in the batch file with the corresponding values from step 5. Then run the file using the following command.
    dsconfig --batch-file \
        enable-pingone-admin-console-sso-copy.dsconfig \
        --no-prompt
  8. Click the link to the PingData server from the PingOne solutions home page. A PingOne login page should appear. After you provide credentials, you should see the Administrative Console index page.