This section provides tips for integrating PingCentral into an existing OIDC 1.0 SSO infrastructure using PingFederate as the Open ID provider. However, as long as an OpenID provider is able to provide the endpoints and claims required by PingCentral (most notably the user name and role), other OpenID Connect 1.0 providers, such as PingOne for Customers, can also be used.

This section does not provide all of the details of setting up access token managers, OIDC policies, or attribute contracts as these topics are complex and often specific to a customer environment.

Configuring the OAuth client

Defining a PingCentral-specific OAuth client is recommended. Configure the following:

  • Client authentication: Choose client secret and assign a secret. This secret also needs to be defined in PingCentral when you configure SSO. Refer to Configuring SSO for details.
  • Redirect URI: Provide the redirect URI. For example, https://<pc-host>:<pc-port>/login/oauth2/code/pingcentral.
  • Allowed grant types: Ensure Authorization Code is selected. If you want API access via bearer tokens, select the Resource Owner Password Credentials option as well.
  • OpenID connect: For ID Token Signing Algorithm, select RSA using SHA-256. PingCentral does not support ID token encryption.

Configuring the OIDC policy

The OAuth client will be associated with an OIDC Policy, perhaps the default policy. This policy must map an attribute into the expected claim to signify the user’s PingCentral role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in PingFederate.

If the default PingCentral role claim name and values need to be altered to match the OIDC policy, update the file. Refer to Configuring SSO for details.

Configuring the Access Token Manager

The access token manager associated with the OIDC Policy must support signed JWT tokens. To validate the token signature, PingCentral must be able to access a JWKS endpoint URL. Signing certificates and JWE encryption (symmetric or asymmetric) are not supported in this release.

If you are using PingFederate 10.1 or later, you can enable the centralized signing key functionality. Additional configuration is not required in PingCentral to access the centralized JWKS endpoint. Select the Use Centralized Signing Key check box, as shown in the following example.

Alternatively, or if you are using an older version of PingFederate, you must define an explicit JWKS endpoint path. Select Show Advanced Fields and specify the path in the JWKS Endpoint Path field, as shown in the following example:

This path must be explicitly configured in PingCentral. See Configuring resource server functionality.

If you define either or both of the issuer or audience claim values within the access token manager, you can configure PingCentral to validate them. These claim values are also defined within the advanced fields, as shown in the following example.