PingCentral has been tested with PingFederate 9.2.x, 9.3.x, 10.0.x and 10.1.x, serving as both the OpenID provider and OAuth 2 authorization server. PingCentral is an OpenID relying party for browser based SSO, as well as an OAuth 2 resource server when directly accessing the admin API.
This section provides tips for integrating PingCentral into an existing OIDC 1.0 SSO infrastructure using PingFederate as the Open ID provider. However, as long as an OpenID provider is able to provide the endpoints and claims required by PingCentral (most notably the user name and role), other OpenID Connect 1.0 providers, such as PingOne for Customers, can also be used.
This section does not provide all of the details of setting up access token managers, OIDC policies, or attribute contracts as these topics are complex and often specific to a customer environment.
Configuring the OAuth client
Defining a PingCentral-specific OAuth client is recommended. Configure the following:
- Client authentication: Choose client secret and assign a secret. This secret also needs to be defined in PingCentral when you configure SSO. Refer to Configuring SSO for details.
- Redirect URI: Provide the redirect URI. For example, https://<pc-host>:<pc-port>/login/oauth2/code/pingcentral.
- Allowed grant types: Ensure Authorization Code is selected. If you want API access via bearer tokens, select the Resource Owner Password Credentials option as well.
- OpenID connect: For ID Token Signing Algorithm, select RSA using SHA-256. PingCentral does not support ID token encryption.
Configuring the OIDC policy
The OAuth client will be associated with an OIDC Policy, perhaps the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.
If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the application.properties file. Refer to Configuring SSO for details.
Configuring the Access Token Manager
The access token manager associated with the OIDC Policy must support signed JWT tokens. To validate the token signature, PingCentral must be able to access a JWKS endpoint URL. Signing certificates and JWE encryption (symmetric or asymmetric) are not supported in this release.
This path must be explicitly configured in PingCentral. See Configuring resource server functionality.