Configuring PingFederate for PingAuthorize and Configuring PingAuthorize Policy Editor to use PingFederate explain how to configure the PingAuthorize Policy Editor and PingFederate so that any authenticated user can access the PingAuthorize Policy Editor. This task describes how to configure PingFederate to limit access to a specific LDAP group.

  1. Create an LDAP group in PingDirectory and add the desired user (user.20) to the group.
    1. Create a file named create-policy-writer-group.ldif and add the following.
      dn: ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: groups
      dn: cn=PolicyWriter,ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: groupOfUniqueNames
      cn: PolicyWriter
      ou: groups
      uniquemember: uid=user.20,ou=People,dc=example,dc=com
    2. Use the PingDirectory ldapmodify tool to load the newly created ldif file.
      /opt/PingDirectory/bin/ldapmodify -a -f create-policy-writer-group.ldif
  2. Add the group membership claim requirement in PingFederate.
    1. In the PingFederate console, go to Applications > OAuth > Access Token Mappings.
    2. Select the PingDirectory mapping from the list, and then on the Attribute Sources & User Lookup tab, select the PingDirectory source.
    3. Click the LDAP Directory Search tab, and in the Root Object Class list, select Show All Attributes.
    4. Add the isMemberOf attribute, and then click Done to return to Access Token Attribute Mapping.

      A screen capture of the LDAP Directory Search tab.
    5. Go to the Issuance Criteria tab and add a new row with the following values:
      Column Value


      LDAP (pingdir)

      Attribute Name



      multi-value contains (case sensitive)



      A screen capture of the Issuance Criteria tab, with the previously described attributes added.
    6. Click Save.
    Only user.20 can access the PingAuthorize Policy Editor.
  3. Verify that only specified users can access the PingAuthorize Policy Editor.

    Clear any active SSO sessions before you sign on as each user.

    1. Sign on as user.0.
      Access is denied.
    2. Sign on as user.20.
      Access is granted.