Configuring PingFederate for PingAuthorize - PingAuthorize - 9.1

PingAuthorize

bundle
pingauthorize-91
ft:publication_title
PingAuthorize
Product_Version_ce
PingAuthorize 9.1
category
ContentType
Product
Productdocumentation
paz-91
pingauthorize
ContentType_ce
Product documentation

Configure PingFederate to authorize external access through tokens to the PingAuthorize Policy Editor.

You can also use PingAccess to authorize external access through rules. See Rule Creation in PingAccess for information.

The following example configuration assumes that any authenticated user can access the PingAuthorize Policy Editor. To limit access to members of a specific group, see Configuring PingFederate group access for PingAuthorize.

  1. In the PingFederate administration console, go to System > Data & Credential Stores > Data Stores.
  2. Click Add New Data Store.
  3. On the Data Store Type tab, in the Name field, enter a name for the data store.
  4. From the Type list, select Directory (LDAP), and then click Next.
  5. On the LDAP Configuration tab, enter the address and authentication information for PingFederate to use when accessing PingDirectory, and then click Next.
  6. On the Summary tab, review your configuration and click Save.

    A screen capture of the Summary tab, showing the data store configuration.
  7. Go to Authentication > Policies > Sessions and enable authentication sessions. The following example enables authentication sessions for all sources. Make the appropriate change for your environment, and then click Save.

    The Sessions window showing the Track Revoked Sessions on Logout check box selected. The Enable Authentication Sessions For All Sources check box is also selected.
  8. Go to Security > Certificate & Key Management > SSL Client Keys & Certificates and import your JWT signing certificate. Click Save.
    Note:

    PingFederate expects the certificate chain and keys to be encoded in PKCS12 format.

  9. Configure your OAuth server using the OpenID Connect protocol.
    1. Go to System > OAuth Settings > Scope Management and create scopes.
    2. In the Scope Value field, enter the email, openid, and profile scopes, clicking Add after each entry. Click Save.

      The Common Scopes tab showing values of email, openid, and profile added to the Scope Value list.
    3. Go to Applications > OAuth > Access Token Management and click Create New Instance.
    4. On the Type tab, from the Type list, select JSON Web Tokens. From the Parent Instance list, select None. Click Next.
    5. On the Instance Configuration tab, click Add a new row to 'Certificates' and add the previously imported signing certificate. Select the desired signing algorithm and token timeout, and then click Next.
    6. On the Session Validation tab, enable the session validation options.

      The Session Validation tab showing all check boxes selected.
    7. On the Access Token Attribute Contract tab, add the attributes to be included in the OAuth access token. This example extends the contract with cn, email, scope, sub, and uid attributes.

      The Access Token Attribute Contract tab showing values of cn, email, scope, sub, and uid added the Extend the Contract list.
    8. Click Next until you reach the Summary tab, and then click Save. Accept the default values for the Resources URIs and Access Control settings.
    9. Go to Applications > OAuth > Access Token Mappings to create an Access Token Mapping in the Default context for the Access Token Manager you just created. Click Add Mapping, and then click Add Attribute Source.
    10. From the Active Data Store list, select the PingDirectory data store that you created in step 2. Click Next.

      The Data Store tab showing the PingDirectory data store selected in the Active Data Store list.
    11. On the LDAP Directory Search tab, in the Base DN field, enter the base DN for the PingDirectory data that provides your identities.
    12. In the Attributes to return from search section, click Add Attribute and enter the attributes to be retrieved.

      The sample data uses ou=People,dc=example,dc=com and the configuration shown in the following image retrieves the cn, mail, and uid attributes.


      The LDAP Directory Search tab showing an entry of ou=People,dc=example,dc=com in the Base DN field, and the attributes cn, mail, and uid have been added to the Attribute list.
    13. On the LDAP Filter tab, in the Filter field, enter uid=${USER_KEY} to match the PingDirectory sample data with the authenticating user information.

      The LDAP Filter tab showing an entry of uid=${USER_KEY} in the Filter field.
    14. Click Next and Save on the Summary tab.
    15. On the Contract Fulfillment tab, fulfill the contract with the LDAP attributes from the PingDirectory data store. Leave the remaining settings as their defaults and click Save.

      The scope attribute is fulfilled from the OAuth context.


      The Contract Fulfillment tab showing a selection of LDAP (PingDirectory) in the Source column for the cn, email, sub, and uid contracts. The scope contract shows a selection of Context in the Source column. For the cn, email, sub, and uid contracts, the Value column shows a selection of cn, mail, uid, and uid, respectively. The scope contract shows a selection of Scope in the Value column.
    16. Go to Applications > OAuth > OpenID Connect Policy Management and click Add Policy.
    17. In the Manage Policy tab, from the Access Token Manager list, select the access token manager you previously created.
    18. Ensure that the Include User Info in ID Token check box is selected. Click Next.
    19. On the Attribute Contract tab, extend the policy contract with the email and name attributes. Click Next.
    20. On the Attribute Scopes tab, map the previously defined email and profile scopes to the email and name ID token attributes. Click Next.

      The Attribute Scopes tab showing the email attribute mapped to the email scope, and the name attribute mapped to the profile scope.
    21. On the Contract Fulfillment tab, fulfill the contract with the values in the access token. Click Next until you reach the Summary tab, and then click Save.

      The Contract Fulfillment tab showing the Access Token value selected in the Source column for email, name, and sub. The Value column shows email, cn, and sub, respectively.
    22. Click Set as Default to set the newly created policy as the default policy.
    23. Go to Applications > OAuth > Clients and click Add Client.

      To provide the Policy Editor with appropriate defaults, configure PingFederate with a Client ID of pingauthorize-pap and select the Implicit check box in the Allowed Grant Types section. From the Default Access Token Manager list, select the JWT Manager created earlier, and in the Redirection URIs field, add the correct callback URL for the Policy Editor, such as https://pap.example.com:9443/idp-callback.

      Click Save.

    24. Go to Authentication > OAuth > IdP Adapter Grant Mapping and create a new Form Adapter Mapping, fulfilling the contracts for USER_NAME and USER_KEY with the username form field. Click Next and Save on the Summary tab.

      The Contract Fulfillment tab showing the Adapter value selected in the Source column for USER_KEY and USER_NAME. The username value is selected in the Value column for both contracts.
    25. Because this PingFederate instance uses a different domain from the Policy Editor, you must modify the PingFederate CORS settings. Go to System > OAuth Settings > Authorization Server Settings. In the Cross-Origin Resource Sharing Settings section, enter the domain for the Policy Editor in the Allowed Origin field. Click Add and then Save.

      The Cross-Origin Resource Sharing Settings section showing a URL of https://pap.example.com:8080 added to the Allowed Origin field.
    PingFederate is configured to handle OpenID Connect requests.
Configuring PingAuthorize Policy Editor to use PingFederate