Configuring SSO for PingCentral - PingCentral - 2.0

PingCentral for IAM Administrators
bundle
pingcentral-20
ft:publication_title
PingCentral for IAM Administrators
Product_Version_ce
PingCentral 2.0 (Latest)
category
Administrator
Audience
Product
pc-20
pingcentral
ContentType_ce

With , single is disabled by default.

To configure for SSO:
  1. Enable SSO.
  2. Configure properties to access OIDC configuration information.
  3. Define an at the OpenID provider.
  4. Configure role mapping.

After completing these steps, configure the resource server.

Enabling SSO for PingCentral

  1. Open the <PingCentral_install>/conf/application.properties file.
  2. Uncomment the following property and set the value to true. 
    pingcentral.sso.oidc.enabled=true

Configuring OIDC for PingCentral

  • In the <PingCentral_install>/conf/application.properties file, locate the pingcentral.sso.oidc.issuer-uri property, uncomment it, and define the Issuer URI.

    In this example, attempts to access configuration information at https://sso.mycompany.com:9031/.well-known/openid-configuration.

    pingcentral.sso.oidc.issuer-uri=https://sso.<mycompany>.com:9031

    If can't access the OIDC configuration information, it fails to start. Make sure the OpenID provider is running and accessible before starting .

    In the future, if changes are made on the OpenID Provider that affect the OIDC configuration information used for , you must restart to incorporate them.

Defining the OAuth client for PingCentral

Define an for at the OpenID provider.

  • In the <PingCentral_install>/conf/application.properties file, locate the following property, uncomment it, and provide the client ID and client secret for the OAuth client. 
    pingcentral.sso.oidc.client-id=<CLIENT_ID>
pingcentral.sso.oidc.client-secret=<CLIENT_SECRET>
    Important:

    Secure the secret using the obfuscation script available in bin/obfuscate, and by using output ciphertext rather than the cleartext secret.

Configuring PingCentral role mapping

In , two user roles are defined: the IAM Administrator, and the Application Owner. An initial IAM Administrator is created by default and can add other users to and assign them to the appropriate role.

When SSO is enabled, the OpenID Provider must indicate the role with a claim defined in the ID token or UserInfo endpoint. If this claim isn't found, or its value is nonsensical, the user is denied access to , and auto-provisioning doesn't occur.

With , an attribute can be mapped into the appropriate claim. To configure role mapping:

  • In the <PingCentral_install>/conf/application.properties file, locate the following attributes and configure them for mapping into the appropriate claim. 
    # The name of the claim which identifies the PingCentral role associated with the user.
#pingcentral.sso.oidc.role-claim-name=PingCentral-Role
    # The expected value of the role claim which indicates the user is a PingCentral administrator.
#pingcentral.sso.oidc.role-claim-value-admin=IAM-Admin
    # The expected value of the role claim which indicates the user is a PingCentral application owner (non-administrator).
#pingcentral.sso.oidc.role-claim-value-app-owner=Application-Owner
If these default values can be used with the OpenID Provider, no further configuration is required.
If the defaults can't be used with the OpenID Provider, set the claim name or values to synchronize to the OpenID Provider configuration as shown.
pingcentral.sso.oidc.role-claim-name=UserRole
pingcentral.sso.oidc.role-claim-value-admin=Admin
pingcentral.sso.oidc.role-claim-value-app-owner=Developer