With PingCentral, single sign-on (SSO) is disabled by default.
- Enable SSO.
- Configure OIDC properties to access OIDC configuration information.
- Define an OAuth client at the OpenID provider.
- Configure PingCentral role mapping.
After completing these steps, configure the resource server.
Enabling SSO for PingCentral
- Open the <PingCentral_install>/conf/application.properties file.
Uncomment the following property and set the value to
Configuring OIDC for PingCentral
file, locate the
pingcentral.sso.oidc.issuer-uriproperty, uncomment it, and define the Issuer URI.
In this example, PingCentral attempts to access OIDC configuration information at https://sso.mycompany.com:9031/.well-known/openid-configuration.
If PingCentral can't access the OIDC configuration information, it fails to start. Make sure the OpenID provider is running and accessible before starting PingCentral.
In the future, if changes are made on the OpenID Provider that affect the OIDC configuration information used for SSO, you must restart PingCentral to incorporate them.
Defining the OAuth client for PingCentral
Define an OAuth client for PingCentral at the OpenID provider.
file, locate the following property, uncomment it, and provide the client ID and
client secret for the OAuth client.
Secure the secret using the obfuscation script available in bin/obfuscate, and by using output ciphertext rather than the cleartext secret.
Configuring PingCentral role mapping
In PingCentral, two user roles are defined: the IAM Administrator, and the Application Owner. An initial IAM Administrator is created by default and can add other users to PingCentral and assign them to the appropriate role.
When SSO is enabled, the OpenID Provider must indicate the PingCentral role with a claim defined in the ID token or UserInfo endpoint. If this claim isn't found, or its value is nonsensical, the user is denied access to PingCentral, and auto-provisioning doesn't occur.
With PingFederate, an attribute can be mapped into the appropriate claim. To configure role mapping:
file, locate the following attributes and configure them for mapping into the
# The name of the claim which identifies the PingCentral role associated with the user. #pingcentral.sso.oidc.role-claim-name=PingCentral-Role
# The expected value of the role claim which indicates the user is a PingCentral administrator. #pingcentral.sso.oidc.role-claim-value-admin=IAM-Admin
# The expected value of the role claim which indicates the user is a PingCentral application owner (non-administrator). #pingcentral.sso.oidc.role-claim-value-app-owner=Application-Owner
pingcentral.sso.oidc.role-claim-name=UserRole pingcentral.sso.oidc.role-claim-value-admin=Admin pingcentral.sso.oidc.role-claim-value-app-owner=Developer