You can configure an OpenID Connect (OIDC) provider to accept sign-on requests in PingAuthorize.
If you chose OIDC mode when setting up the PingAuthorize Policy Editor, you need to configure an OIDC provider, such as PingFederate or PingOne, to accept sign-on requests from the PingAuthorize Policy Editor.
|For information about using||See|
|PingFederate||Configuring PingFederate as an OIDC provider for PingAuthorize policy administration|
|PingOne||Configuring PingOne as an OIDC provider for PingAuthorize policy administration|
Use the following configuration to create an OAuth 2 client that represents the
OAuth 2 client configuration Configuration value Client ID pingauthorizepolicyeditor Redirect URI https://<host>:<port>/idp-callback Grant type Implicit Response type token id_token Scopes
- Configure the access tokens and ID tokens issued for this client with the following claims:
- Configure the OIDC provider to accept a cross-origin resource sharing (CORS) origin that matches the PingAuthorize Policy Editor's scheme, public host, and port, such as https://<host>:<port>.
Configure the OIDC provider to issue tokens to the PingAuthorize
Policy Editor only when the authenticated user is authorized to
administer policies according to your organization's access rules.
Note: Sign the tokens with a signing algorithm of RSA using SHA256.
For PingFederate, this level of authorization is controlled by using issuance criteria. For more information, see the PingFederate documentation.Note:
To run a PingAuthorize Policy Editor Docker container in OIDC mode, use the
PING_CLIENT_IDenvironment variables in your docker run command, as shown in the following example.For proper communication between containers, create a Docker network using a command such as
docker network create --driver <network_type> <network_name>, and then connect to that network with the
docker run --network=<network_name> -p 8443:1443 -d \ --env-file ~/.pingidentity/devops \ --env PING_EXTERNAL_BASE_URL=localhost:8443 \ --env PING_CLIENT_ID=c2f081c0-6a2e-4249-b07d-d60234bb5b21 \ --env PING_OIDC_CONFIGURATION_ENDPOINT=https://auth.pingone.com/3e665735-23da-40a9-a2bb-7ccddc171aaa/as/.well-known/openid-configuration \ pingidentity/pingauthorizepap:<TAG>
The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub (https://hub.docker.com/r/pingidentity/pingauthorizepap).