Configuring an OIDC provider for single sign-on requests from PingAuthorize - PingAuthorize

Configuring an OIDC provider for single sign-on requests from PingAuthorize - PingAuthorize - 9.0

PingAuthorize

bundle

pingauthorize-90

ft:publication_title

PingAuthorize

Product_Version_ce

PingAuthorize 9.0

category

ContentType

Product

Productdocumentation

paz-90

pingauthorize

ContentType_ce

Product documentation

Page created: 26 Jul 2021 |

Page updated: 13 Feb 2023

| 2 min read

Content Type Product documentation 9.0 PingAuthorize Product Configuration User task

If PingAuthorize is set up to use OpenID Connect (OIDC) single sign-on, configure an OIDC provider to accept sign-on requests from PingAuthorize.

If you chose OIDC mode when you set up the PingAuthorize Policy Editor, you must configure an OIDC provider, such as PingFederate or PingOne, to accept sign-on requests from the PingAuthorize Policy Editor.

For information about using PingFederate, see Configuring PingFederate as an OIDC provider for PingAuthorize.
For information about using PingOne, see Configuring PingOne as an OIDC provider for PingAuthorize.

If you're using another OIDC provider, see the provider's documentation for specific client configuration steps. The following steps show the general procedure:

Use the following configuration values to create an OAuth 2 client that represents the PingAuthorize Policy Editor.

OAuth 2 client configuration	Configuration value
Client ID	`pingauthorizepolicyeditor`
Redirect URI	https://<host>:<port>/idp-callback
Grant type	`Authorization Code with PKCE`
Response type	`code`
Scopes	`openid` `email` `profile` `offline_access` Include the `offline_access` scope even though your OIDC provider can issue refresh tokens without it.
Refresh tokens	`Enable`
Client authentication on the token endpoint	`Disable` The Policy Editor doesn't have access to the client secret and doesn't send credentials to the token endpoint.

Configure the access tokens and ID tokens issued for the OAuth 2 client with the following claims:
- sub
- name
- email
Configure the OIDC provider to accept a cross-origin resource sharing (CORS) origin that matches the PingAuthorize Policy Editor's scheme, public host, and port, such as https://<host>:<port>.
Configure the OIDC provider to issue tokens to the PingAuthorize Policy Editor only when the authenticated user is authorized to administer policies according to your organization's access rules.

Note:
Sign the tokens with a signing algorithm of RSA using SHA-256.

For PingFederate, this level of authorization is controlled with issuance criteria. For more information, see the PingFederate documentation.
To run a PingAuthorize Policy Editor Docker container in OIDC mode, use the PING_OIDC_CONFIGURATION_ENDPOINT and PING_CLIENT_ID environment variables in your docker run command, as shown in the following example.

For proper communication between containers, create a Docker network using a command like docker network create --driver <network_type> <network_name>, and then connect to that network with the --network=<network_name> option.
```
docker run --network=<network_name> -p 8443:1443 -d \
--env-file ~/.pingidentity/config \
--env PING_EXTERNAL_BASE_URL=localhost:8443 \
--env PING_CLIENT_ID=c2f081c0-6a2e-4249-b07d-d60234bb5b21 \
--env PING_OIDC_CONFIGURATION_ENDPOINT=https://auth.pingone.com/3e665735-23da-40a9-a2bb-7ccddc171aaa/as/.well-known/openid-configuration \
pingidentity/pingauthorizepap:<TAG>
```
The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see the PingAuthorize PAP Docker Image on Docker Hub.