Configuring an OIDC provider for single sign-on requests from PingAuthorize - PingAuthorize

Configuring an OIDC provider for single sign-on requests from PingAuthorize - PingAuthorize - 9.1

PingAuthorize

bundle

pingauthorize-91

ft:publication_title

PingAuthorize

Product_Version_ce

PingAuthorize 9.1

category

ContentType

Product

Productdocumentation

paz-91

pingauthorize

ContentType_ce

Product documentation

Page created: 17 Feb 2022 |

Page updated: 29 Jul 2022

| 2 min read

Product PingAuthorize 9.1 Content Type Product documentation Configuration User task

When you install the PingAuthorize software with OpenID Connect (OIDC) authentication, configure an OIDC provider to accept SSO requests from PingAuthorize.

If you chose OIDC mode when you set up the PingAuthorize Policy Editor, you must configure an OIDC provider, such as PingFederate or PingOne, to accept sign-on requests from the PingAuthorize Policy Editor.

If you're using another OIDC provider, see the provider's documentation for specific client configuration steps. The following steps show the general procedure:

Use the following configuration values to create an OAuth 2 client that represents the PingAuthorize Policy Editor.

OAuth 2 client configuration	Configuration value
Client ID	`pingauthorizepolicyeditor`
Redirect URI	https://<host>:<port>/idp-callback
Grant type	`Authorization Code with PKCE`
Response type	`code`
Scopes	`openid` `email` `profile`
Refresh tokens	`Enable`
Client authentication on the token endpoint	`Disable` The Policy Editor doesn't have access to the client secret and doesn't send credentials to the token endpoint.
Return ID token on refresh grant	`true`
Always re-roll refresh tokens	`true`

Important:

When an authentication token expires, the Policy Editor performs a silent renewal, triggering a background process to retrieve a new token from the OIDC provider. For this process to work, you must configure your OIDC provider to issue refresh tokens in the following manner:

Issue an id_token as part of the refresh grant.
Re-roll the refresh token after each use. The Policy Editor will not use refresh tokens more than once.

Because these constraints apply to silent renewal, a misconfiguration of the previous items will still allow you to sign on. After your token expires, though, the application will eject you from your session and redirect you to the sign-on screen. This could cause you to lose unsaved changes in the Policy Editor.

Configure the access tokens and ID tokens issued for the OAuth 2 client with the following claims:
- sub
- name
- email
Configure the OIDC provider to accept a cross-origin resource sharing (CORS) origin that matches the PingAuthorize Policy Editor's scheme, public host, and port, such as https://<host>:<port>.
Configure the OIDC provider to issue tokens to the PingAuthorize Policy Editor only when the authenticated user is authorized to administer policies according to your organization's access rules.

Note:
Sign the tokens with a signing algorithm of RSA using SHA-256.

For PingFederate, this level of authorization is controlled with issuance criteria. For more information, see the PingFederate documentation.