In PingCentral 1.0, two user roles are defined: the IAM Administrator, and the Application Owner. An initial IAM Administrator is created by default and can add other users to PingCentral and assign them to the appropriate role.

When SSO is enabled, the OpenID Provider must indicate the PingCentral role with a claim defined in the ID token or UserInfo endpoint. If this claim isn't found, or its value is nonsensical, the user is denied access to PingCentral, and auto-provisioning doesn't occur.

With PingFederate, an attribute can be mapped into the appropriate claim. To configure role mapping:

  • Locate the following attributes and configure them for mapping into the appropriate claim. 
    # The name of the claim which identifies the PingCentral role associated with the user.
#pingcentral.sso.oidc.role-claim-name=PingCentral-Role
    # The expected value of the role claim which indicates the user is a PingCentral administrator.
#pingcentral.sso.oidc.role-claim-value-admin=IAM-Admin
    # The expected value of the role claim which indicates the user is a PingCentral application owner (non-administrator).
#pingcentral.sso.oidc.role-claim-value-app-owner=Application-Owner
If these defaults can be used with the OpenID Provider, no further configuration is required.
If the defaults can't be used with the OpenID Provider, set the claim name or values to synchronize PingCentral to the OpenID Provider configuration as shown.
pingcentral.sso.oidc.role-claim-name=UserRole
pingcentral.sso.oidc.role-claim-value-admin=Admin
pingcentral.sso.oidc.role-claim-value-app-owner=Developer