You should have already set up the PingAuthorize server that will be administered. This server will host the PingAuthorize administration console that is being configured for SSO.
Tip:

You can use groups to organize user identities as explained in Groups. Also, you can set access to applications as explained in Application access control.

  1. In the PingOne administration console, add a PingAuthorize Server service to one of the existing environments. Alternatively, add a custom environment solely for a PingAuthorize Server service.
    1. When prompted, select the It's already been deployed option.
    2. Provide https://<hostname>:<port>/console/login as the value for the Admin URL, filling in the bracketed values with the PingAuthorize server's hostname and HTTP port.
      Tip:

      By binding to the LDAP server, you can use a single console instance to administer multiple PingAuthorize servers. Note that an LDAPS scheme is always assumed because an encrypted connection is always required for SSO.

      You can specify the LDAP server to bind to using the query parameters ldap-hostname and ldaps-port when the administrative console is configured for SSO. Using these parameters, you can specify the URL as follows:

      https://<hostname>:<port>/console?ldap-hostname=<my-ldap-host>&ldaps-port=<my-ldaps-port>
  2. Configure the matching administrator accounts for PingOne and the PingAuthorize server. Go to the PingOne dashboard for the environment that will be used with the PingAuthorize server. Repeat the following steps for each PingOne user for which you wish to enable SSO.
    1. Locate the desired user under the Identities tab. For the example purposes, we will assume the desired PingOne user has the following properties.
      Description Details

      Given Name

      Jane

      Family Name

      Smith

      Username

      jsmith
    2. Run the following dsconfig command against the PingAuthorize server, filling in the bracketed field with the previously located PingOne user's Username value. 
      dsconfig create-root-dn-user --user-name jsmith \
  --set first-name:Jane \
  --set last-name:Smith
  3. Register the administrative console with PingOne. Follow the instructions for Adding an application and select OIDC Web App for Application Type. Configure the application properties as shown in the following table.
    Property Value

    Application Name

    PingAuthorize administrative console

    Description

    Application for the PingAuthorize administrative console

    Redirect URLs

    https://<hostname>:<port>/console/oidc/cb

    Attribute Mapping

    Username = sub
    Note:

    Fill in the bracketed values in redirect URLs with the PingAuthorize server's hostname and HTTP port, similar to Step 2.

  4. Edit the listed properties for the newly created application so that the properties have the values show in the following table, following the instructions in Edit an application - OIDC in the PingOne Administration Guide.
    Property Value

    Response Type

    Code

    Grant Type

    Authorization Code

    Token Endpoint Authentication Method

    Client Secret Basic
  5. Note the values for the following application properties to use in later steps:
    • Issuer
    • Client ID
    • Client Secret
  6. Locate the enable-pingone-admin-console-sso.dsconfig file in the PingAuthorize/config/sample-dsconfig-batch-files/ directory. Make a copy of it, and edit the copy rather than the source file.
  7. Replace all the bracketed values in the batch file with the corresponding values from step 5. Then run the file using the following command. 
    dsconfig --batch-file \
    enable-pingone-admin-console-sso-copy.dsconfig \
    --no-prompt
  8. Click the link to the PingAuthorize server from the PingOne solutions home page. A PingOne login page should appear. After you provide credentials, you should see the administrative console index page.