PingCentral is an OpenID relying party for browser-based single sign-on (SSO), as well as an OAuth 2 resource server when directly accessing the admin API.
As long as an OpenID provider is able to provide the endpoints and claims required by PingCentral (most notably the user name and role), other OpenID Connect 1.0 providers, can also be used.
- Configure the Access Token Manager (ATM) for PingCentral.
- Configure the OIDC policy for PingCentral.
- Configure the OAuth client for PingCentral.
This section doesn't provide all of the details of setting up access token managers, OIDC policies, or attribute contracts because these topics are complex and often specific to a customer environment.
Configuring the Access Token Manager for PingCentral
Configuring the OIDC policy for PingCentral
The OAuth client will be associated with an OIDC Policy, which could be the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.
In addition to the sub
claim, the important claim is the
PingCentral-Role
claim. Optionally, you can also include the
given_name
and family_name
claims with the
profile scope.
You can fulfill the sub
claim from the access token, and
you need to fulfill the PingCentral-Role
claim using an OGNL
expression based on group memberships in your directory. The following is an example
of an OGNL expression used in Contract Fulfillment to map
roles.
// Reads the memberOf attribute values from the access token.
#pcrole = #this.get("memberOf"),
// If the values in memberOf contain the IAM administrator's group name, send 'IAM-ADMIN' in the claim value.
#pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-iamadmins")? "IAM-Admin":
// If the values in memberOf contain the application owner's group name, send 'Application-Owner' in the claim value or send 'NoAccess'.
#pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-appowners")? "Application-Owner" :"NoAccess"
memberOf
must be in your access token contract or retrieved
through a lookup for the expression to work.
If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the <PingCentral_install>/conf/application.properties file.
Configuring the OAuth client for PingCentral
Define a PingCentral-specific OAuth client. These steps explain how to configure PingFederate as the OpenID provider. See Configuring OAuth clients in the PingFederate Server guide for additional information.