When you install the PingAuthorize software with OpenID Connect (OIDC) authentication, configure an OIDC provider to accept single sign-on (SSO) requests from PingAuthorize.
If you chose OIDC mode when you set up the PingAuthorize Policy Editor, you must configure an OIDC provider, such as PingFederate or PingOne, to accept sign-on requests from the PingAuthorize Policy Editor. See the following tabs for the configuration steps for PingOne and PingFederate.
If you're using another OIDC provider, see the provider's documentation for specific client configuration steps. The following steps show the general procedure:
Configuring PingOne as an OIDC provider for PingAuthorize
To improve security and ensure a consistent authentication experience across all enterprise applications, enable single sign-on (SSO) for the PingAuthorize Policy Editor using PingOne as an OIDC provider.
Components
- PingOne
- PingAuthorize 9.0 or later
Instructions and screenshots might differ slightly from other product versions. For the latest documentation, see PingOne documentation.
Before you begin
- Confirm that PingOne is accessible from the subnet on which the Policy Editor is running.
- Extract the Policy Editor distribution to your specified install location,
with appropriate permissions set for write access, for example
/opt/PingAuthorize-PAP
.
Configuring PingOne for PingAuthorize policy administration
The following configuration allows PingOne to authorize external access to the PingAuthorize Policy Editor.
Configuring PingAuthorize policy administration to use PingOne
The following configuration enables the PingAuthorize Policy Editor to use PingOne for authentication.
Configuring PingFederate as an OIDC provider for PingAuthorize
To improve security and ensure a consistent authentication experience across all enterprise applications, enable single sign-on (SSO) for the PingAuthorize Policy Editor using PingFederate as an OIDC provider.
This document describes one way to configure PingFederate as an OpenID Connect provider for the PingAuthorize Policy Editor. In this example, PingFederate also acts as the identity provider and uses a PingDirectory LDAP server with sample data as the backing store.
Components
- PingFederate 10.3 or later
- PingDirectory 9.0 or later
- PingAuthorize 9.0 or later
Instructions and screenshots might differ slightly from other product versions. For the latest documentation, see the PingFederate documentation and PingDirectory documentation.
Before you begin
Make sure of the following:
- PingFederate is running and accessible from the subnet on which the Policy Editor is running.
- PingDirectory is running and accessible from the subnet on which PingFederate is running.
- PingDirectory is loaded with the identities to be used. This document uses the sample data provided when running the PingDirectory setup command line tool with option --sampleData 1000.
- You have extracted the Policy Editor distribution to your specified install location, with appropriate permissions set for write access. This document uses an installation directory of /opt/PingAuthorize-PAP.
- If using SSL, the certificate chain is available as a PKCS12 keystore to upload as the server certificate chain for PingFederate.
- The signing certificate for JWT tokens is available for upload to
PingFederate.Note:
If the PingFederate certificate chain contains certificates that are not trusted by the default Java truststore on the system that the Policy Editor is running on, you will need to add them. An example of how to do this is provided in the “Add Certificate to Java Trust Store” subsection below.
Configuring PingFederate for PingAuthorize
Configure PingFederate to authorize external access through tokens to the PingAuthorize Policy Editor.
You can also use PingAccess to authorize external access through rules. See Rule Creation in PingAccess for information.
The following example configuration assumes that any authenticated user can access the PingAuthorize Policy Editor. To limit access to members of a specific group, see Configuring PingFederate group access for PingAuthorize.
Configuring PingAuthorize Policy Editor to use PingFederate
Configure the PingAuthorize Policy Editor to use PingFederate for authentication.
Reconfigure a manually installed PingAuthorize Policy Editor to use PingFederate for authentication.
Configuring PingFederate group access for PingAuthorize
Configure PingFederate so that only members of a specific LDAP group are authorized to access the application.
Configuring PingFederate for PingAuthorize and Configuring PingAuthorize Policy Editor to use PingFederate explain how to configure the PingAuthorize Policy Editor and PingFederate so that any authenticated user can access the PingAuthorize Policy Editor. This task describes how to configure PingFederate to limit access to a specific LDAP group.