is an OpenID relying party for browser-based , as well as an 2 resource server when directly accessing the admin API.
As long as an OpenID provider is able to provide the endpoints and claims required by (most notably the user name and role), other OpenID Connect 1.0 providers, can also be used.
- Configure the Access Token Manager (ATM) for .
- Configure the OIDC policy for .
- Configure the OAuth client for .
This section doesn't provide all of the details of setting up access token managers, OIDC policies, or attribute contracts because these topics are complex and often specific to a customer environment.
Configuring the Access Token Manager for PingCentral
Configuring the OIDC policy for PingCentral
The will be associated with an Policy, which could be the default policy. This policy must map an attribute into the expected claim to signify the user’s role, which is defined in the Attribute Contract, Attribute Sources & User Lookup, and Contract Fulfillment in .
In addition to the sub
claim, the important claim is the
PingCentral-Role
claim. Optionally, you can also include the
given_name
and family_name
claims with the
profile scope.
You can fulfill the sub
claim from the access token, and
you need to fulfill the PingCentral-Role
claim using an OGNL
expression based on group memberships in your directory. The following is an example
of an OGNL expression used in Contract Fulfillment to map
roles.
// Reads the memberOf attribute values from the access token.
#pcrole = #this.get("memberOf"),
// If the values in memberOf contain the IAM administrator's group name, send 'IAM-ADMIN' in the claim value.
#pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-iamadmins")? "IAM-Admin":
// If the values in memberOf contain the application owner's group name, send 'Application-Owner' in the claim value or send 'NoAccess'.
#pcrole ==null?"False":#this.get("memberOf").toString().contains("pingcentral-appowners")? "Application-Owner" :"NoAccess"
memberOf
must be in your access token contract or retrieved
through a lookup for the expression to work.
If the default role claim name and values need to be altered to match the OIDC policy, update the <PingCentral_install>/conf/application.properties file.
Configuring the OAuth client for PingCentral
Define a -specific . These steps explain how to configure as the OpenID provider. See Configuring OAuth clients in the PingFederate Server guide for additional information.