PingCentral version 1.0 has been tested with PingFederate 9.2.x and 9.3.x, serving as both the OpenID provider and OAuth 2 authorization server. PingCentral is an OpenID relying party, as well as an OAuth 2 resource server.
This section provides tips for integrating PingCentral into an existing OIDC 1.0 SSO infrastructure using PingFederate as the Open ID provider. However, as long as an OpenID provider is able to provide the endpoints and claims required by PingCentral (most notably the user name and role), other OpenID Connect 1.0 providers, such as PingOne for Customers, can also be used.
This section does not provide details on setting up ATMs, OIDC policies, or attribute contracts as these topics are complex and often specific to a development environment.
Configuring the OAuth client
Defining a PingCentral-specific OAuth client is recommended. Configure the following:
- Client authentication: Choose client secret and assign a secret. This secret also needs to be defined in PingCentral when you configure SSO. Refer to Configuring SSO for details.
- Redirect URI: Provide the redirect URI. For example, https://<pc-host>:<pc-port>/login/oauth2/code/pingcentral.
- Allowed grant types: Ensure Authorization Code is selected. If you want API access via bearer tokens, select the Resource Owner Password Credentials option as well.
- OpenID connect: For ID Token Signing Algorithm, select RSA using SHA-256. PingCentral 1.0 does not support ID token encryption.
Configuring the OIDC policy
The OAuth client will be associated with an OIDC Policy, perhaps the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.
If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the application.properties file. Refer to Configuring SSO for details.
Configuring the ATM
The ATM associated with the OIDC Policy must support JWT tokens. To validate the token signature, PingCentral must be provided a JWKS endpoint URL. Signing certificates and JWE encryption (symmetric or asymmetric) are not supported in this release.
In the ATM Instance Configuration, under Show Advanced Fields, define a JWKS endpoint path.
For example, given the endpoint path /oauth/pingcentral/jwks, configure PingCentral with: