Configuring PingFederate and PingAccess for SSO - PingCentral - 1.14

PingCentral

bundle
pingcentral-114
ft:publication_title
PingCentral
Product_Version_ce
PingCentral 1.14
category
Administrator
Audience
Developer
Product
Troubleshootingtask
Usertask
pc-114
pingcentral
ContentType_ce

To access PingFederate or PingAccess from PingCentral using single sign-on (SSO), each application must be correctly configured.

Note: You can configure PingFederate to use OAuth2 or a native sign-on to connect to PingCentral, but not both. You can configure PingAccess to use either native sign-on, OAuth2, or both.

Configuring PingFederate for SSO

To access PingFederate from PingCentral using SSO:

  1. Review the PingFederate configurations:
    1. In PingFederate, go to Applications > OAuth > Access Token Management and ensure that JSON web tokens are configured, as shown in this example.

      See Configuring JSON-token management in the PingFederate Server guide for details.


      In this example, JSON Web Tokens are configured on the Access Token Management page in PingFederate.
    2. On the Access Token Attribute Contract tab, ensure that the access token attribute contract includes the following attributes, as listed here and shown in this example.
      • admin_role
      • Username

      See Defining the access token attribute contract in the PingFederate Server guide for details.


      In this example, admin role and Username are configured on the Access Token Attribute Contract tab in PingFederate.
    3. Go to Applications > OAuth > Access Token Mappings and ensure that Client Credentials are mapped to use JSON Web Tokens as the access token manager, as shown in this example. Click Add Mapping.

      In this example, Client Credentails is mapped to JSON Web Tokens on the Access Token Mappings page in PingFederate.
    4. On the Contract Fulfillment tab, ensure that the access token attributes in the contract are correctly mapped and the following attributes are included in the contract:
      • Username: The username of the administrator used to access APIs.
      • admin_role: This multi-valued attribute must include the admin and cryptoadmin roles. In this example, an OGNL expression is used to include these values.

        In this example, admin_role is an expression mapped to an OGNL expression and Username is mapped to value.
  2. Configure a new PingFederate client:
    1. In PingFederate, go to Applications > OAuth > Clients.
    2. On the Manage Client tab, complete these fields:
      • Client ID: Enter a unique identifier for the client.
      • Name: Enter a name for the client.
      • Description: Enter a description of the client.

      See Configuring OAuth clients in the PingFederate Server guide for details.


      In this example, the Client ID and Name field are completed and the Client Secret option is selected.
    3. In the Client Authentication field, select Client Secret.
    4. In the Client Secret field, you can:
      Option Description
      Create or generate a secret. Choose from:
      • To create a strong, random alphanumeric string, click Generate Secret.
      • Manually enter a secret.
      Modify an existing secret.
      1. Select the Change Secret check box.
      2. Click Generate Secret to create a strong random alphanumeric string or manually enter a secret.
    5. In the Grant Types field, select the Client Credentials and Access Token Validation (Client is a Resource Server) options.
    6. In the Default Access Token Manager field, select JSON Web Tokens . Click Save.
    7. Access the PingFederate <pf_install>/pingfederate/bin/run.properties file, and ensure that this property is set: pf.admin.api.authentication=OAuth2.
    8. Access the PingFederate <pf_install>/pingfederate/bin/oauth2.properties file, and ensure that the following properties are set.
      Property Description
      client.id

      The unique client identifier defined in step 2.

      client.secret

      The client secret defined in step 4.

      introspection.endpoint

      This URL specifies where PingFederate validates the authentication token.

      For example, https://<PF_RUNTIME_HOST>:<PF_RUNTIME_PORT>/as/introspect.oauth2

      required.scopes

      Use any of the scopes defined in PingFederate.

      Go to System > OAuth Settings > Scope Management to see a list of available scopes.

      For details, see Scopes in the PingFederate Server guide.

      username.attribute.name

      The value mapped to the Username attribute defined on the Contract Fulfillment tab.

      role.attribute.name

      The value mapped to the admin_role attribute defined on the Contract Fulfillment tab.

  3. Configure PingCentral:
    1. In PingCentral, to connect to the new PingFederate client, go to Environments > Add Environments.
    2. On the Connect to Instances page, complete the following fields using the properties you just set in the PingFederate oauth2.properties file.

      In this example, the Connect to Instances page in PingCentral is displayed.
      • PingFederate Admin: Enter the URL defined in the pf.admin.baseurl property for the new client. For details, see Configuring PingFederate properties in the PingFederate Server guide.
      • Authentication Method: Select OAuth2.
      • Token Endpoint URL: Enter the token endpoint URL, which is PingFederate: https://<PF_RUNTIME_HOST>:<PF_RUNTIME_PORT>/as/token.oauth2.
      • Client ID: Enter the unique client identifier set as the client.id property.
      • Client Secret: Enter the client secret set as the client.secret property.
      • Scopes: Enter the scopes set as the required.scopes property.
    3. Click Next.

Configuring PingAccess for SSO

To use SSO to access PingAccess from PingCentral:

  1. Configure a new PingFederate client:
    1. In PingFederate, go to Applications > OAuth > Clients.
    2. On the Manage Client tab, complete these fields:
      • Client ID: Enter a unique identifier for the client.
      • Name: Enter a name for the client.
      • Description: Enter a description of the client.

      See Configuring OAuth clients in the PingFederate Server guide for details.


      In this example, the Client ID and Name field are completed and the Client Secret option is selected.
    3. In the Client Authentication field, select Client Secret.
    4. In the Client Secret field, you can:
      Option Description
      Create or generate a secret. Choose from:
      • To create a strong, random alphanumeric string, click Generate Secret.
      • Manually enter a secret.
      Modify an existing secret.
      1. Select the Change Secret check box.
      2. Click Generate Secret to create a strong random alphanumeric string or manually enter a secret.
    5. In the Grant Types field, select the Client Credentials and Access Token Validation (Client is a Resource Server) options.
    6. In the Default Access Token Manager field, select JSON Web Tokens . Click Save.
    7. Access the PingFederate <pf_install>/pingfederate/bin/run.properties file, and ensure that this property is set: pf.admin.api.authentication=OAuth2.
    8. Access the PingFederate <pf_install>/pingfederate/bin/oauth2.properties file, and ensure that the following properties are set.
      Property Description
      client.id

      The unique client identifier defined in step 2.

      client.secret

      The client secret defined in step 4.

      introspection.endpoint

      This URL specifies where PingFederate validates the authentication token.

      For example, https://<PF_RUNTIME_HOST>:<PF_RUNTIME_PORT>/as/introspect.oauth2

      required.scopes

      Use any of the scopes defined in PingFederate.

      Go to System > OAuth Settings > Scope Management to see a list of available scopes.

      For details, see Scopes in the PingFederate Server guide.

      username.attribute.name

      The value mapped to the Username attribute defined on the Contract Fulfillment tab.

      role.attribute.name

      The value mapped to the admin_role attribute defined on the Contract Fulfillment tab.

  2. Configure PingAccess:
    1. In PingAccess, go to System > System Settings > Admin Authentication.
    2. On the Admin API OAuth tab, select Enable and complete these fields as shown in the example:
      • Client ID: Enter the unique client identifier for the new client.
      • Client Secret: Enter the client secret defined for the new client.
      • Scope: Enter the scopes set as required scopes for the new client.
      • Subject Attribute Name: Enter the name of an access token attribute that you want to use as the Subject field in audit log entries for the admin API.

        In this example, the Admin API OAuth - Enabled tab is displayed in PingAccess.
    3. Click Save.
  3. Configure PingCentral:
    1. In PingCentral, to connect to the new PingFederate client, go to Environments > Add Environments.
    2. On the Connect to Instances page, scroll down and select PingAccess.
    3. Complete the following fields using the properties you just set in PingAccess.

      In this example, the Connect to Instances page in PingCentral is displayed.
      • PingAccess Admin: Enter the link to access PingAccess.
      • Authentication Method: Select Native orOAuth2.
      • Token Endpoint URL: Enter the token endpoint URL, which is available here in PingFederate: https://<PF_RUNTIME_HOST>:<PF_RUNTIME_PORT>/.well-known/openid-configuration.
      • Client ID: Enter the unique identifier for the new client.
      • Client Secret: Enter the client secret defined for the new client.
      • Scopes: Enter the scopes set as required scopes for the new client.
    4. Click Next.