Page created: 9 Feb 2021
|
Page updated: 6 Dec 2022
| 3 min read
PingAuthorize 8.3 Product
The steps below explain how to configure PingOne so that you can use SSO in PingOne to access the PingOne administration console.
Tip:
You can use groups to organize user identities as explained in Groups. Also, you can set access to applications as explained in Application access control.
-
In the PingOne administration console, add a link to the PingOne solutions home page. You can do this by
adding a PingDirectory Server or PingAuthorize Server service to one of the
existing environments or by adding a custom environment solely for a
PingDirectory Server or PingAuthorize Server service.
- When prompted, select the It's already been deployed option.
-
Provide
"https://<hostname>:<port>/console/login"
as the value for the Admin URL, filling in the bracketed values with the
PingData server's hostname and HTTP port.
Tip:You can specify the LDAP server to bind to using the query parameters
ldap-hostname
andldaps-port
when the Administrative Console is configured for SSO. By binding to the LDAP server, you can use a single console instance to administer multiple PingData servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO. Using these parameters, you can specify the URL as follows:https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
-
Configure the matching administrator accounts for PingOne and the PingData
server. Go to the PingOne dashboard for the environment that will be used with
the PingData server. Repeat the following steps for each PingOne user for which
you wish to enable SSO.
-
Locate the desired user under the Identities
tab. For the example purposes, we will assume the desired PingOne user
has the following properties.
Given Name Jane Family Name Smith Username jsmith -
Run the following dsconfig command against the
PingData server, filling in the bracketed field with the previously
located PingOne user's Username value.
dsconfig create-root-dn-user --user-name jsmith \ --set first-name:Jane \ --set last-name:Smith
-
Locate the desired user under the Identities
tab. For the example purposes, we will assume the desired PingOne user
has the following properties.
-
Register the Administrative Console with PingOne. Go to Add an application - Web application and
follow the instructions in the "Add an OIDC application" subsection. The
application properties should be as shown in the following table.
Property Value Application Name PingData Administrative Console Description Application for the PingData Administrative Console Redirect URLs https://<hostname>:<port>/console/oidc/cb Attribute Mapping 'Username' = 'sub' Note:Fill in the bracketed values in redirect URLs with the PingData server's hostname and HTTP port, similar to Step 2.
-
Edit the listed properties for the newly created application so that the
properties have the values show in the following table, following the
instructions in Edit an application - OIDC in the PingOne Administration Guide.
Property Value Response Type Code Grant Type Authorization Code Token Endpoint Authentication Method Client Secret Basic -
Note the values for the following application properties to use in later
steps:
- Issuer
- Client ID
- Client Secret
- Locate the enable-pingone-admin-console-sso.dsconfig file in the PingDirectory/config/sample-dsconfig-batch-files/ directory. Make a copy of it, and edit the copy rather than the source file.
-
Replace all the bracketed values in the batch file with the corresponding
values from step 5. Then run the file using the following command.
dsconfig --batch-file \ enable-pingone-admin-console-sso-copy.dsconfig \ --no-prompt
- Click the link to the PingData server from the PingOne solutions home page. A PingOne login page should appear. After you provide credentials, you should see the Administrative Console index page.