Configuring an Authentication Server for OpenID Connect single sign-on - PingDataGovernance

Configuring an Authentication Server for OpenID Connect single sign-on - PingDataGovernance - 8.2

PingDataGovernance

bundle

pingdatagovernance-82

ft:publication_title

PingDataGovernance

Product_Version_ce

PingDataGovernance 8.2

category

Product

pdg-82

pingdatagovernance

ContentType_ce

Page created: 22 Jul 2020 |

Page updated: 9 Feb 2021

| 2 min read

8.2 PingDataGovernance Product Configuration User task Product documentation Content Type Data Governance Capability

You can configure an Open ID Connect (OIDC) provider to accept sign-on requests in PingDataGovernance.

If you chose OIDC mode when setting up the PingDataGovernance Policy Administration GUI, you need to configure an OIDC provider, such as PingFederate or PingOne, to accept sign-on requests from the PingDataGovernance Policy Administration GUI.

For information about using	See
PingFederate	Configuring PingFederate as an OIDC provider for PingDataGovernance policy administration
PingOne	Configuring PingOne as an OIDC provider for PingDataGovernance policy administration

Use the following configuration to create an OAuth 2 client that represents the PingDataGovernance Policy Administration GUI.

OAuth 2 client configuration	Configuration value
Client ID	`pingdatagovernance-pap`
Redirect URI	https://<host>:<port>/idp-callback
Grant type	Implicit
Response type	`token id_token`
Scopes	`openid` `email` `profile`

Configure the access tokens and ID tokens issued for this client with the following claims:

sub
name
email

Configure the OIDC provider to accept a cross-origin resource sharing (CORS) origin that matches the PingDataGovernance Policy Administration GUI's scheme, public host, and port, such as https://<host>:<port>.
Configure the OIDC provider to issue tokens to the PingDataGovernance Policy Administration GUI only when the authenticated user is authorized to administer policies according to your organization's access rules.
Note: Sign the tokens with a signing algorithm of RSA using SHA256.

For PingFederate, this level of authorization is controlled by using issuance criteria. For more information, see the PingFederate documentation.
Note:
To run a PingDataGovernance Policy Administration GUI Docker container in OIDC mode, use the PING_OIDC_CONFIGURATION_ENDPOINT and PING_CLIENT_ID environment variables in your docker run command, as shown in the following example.
For proper communication between containers, create a Docker network using a command such as docker network create --driver <network_type> <network_name>, and then connect to that network with the --network=<network_name> option.
```
docker run --network=<network_name> -p 8443:443 -d \
--env-file ~/.pingidentity/devops \
--env PING_EXTERNAL_BASE_URL=localhost:8443 \
--env PING_CLIENT_ID=c2f081c0-6a2e-4249-b07d-d60234bb5b21 \
--env PING_OIDC_CONFIGURATION_ENDPOINT=https://auth.pingone.com/3e665735-23da-40a9-a2bb-7ccddc171aaa/as/.well-known/openid-configuration \
pingidentity/pingdatagovernancepap:<TAG>
```
The Docker image <TAG> used in the example is only a placeholder. For actual tag values, see Docker Hub (https://hub.docker.com/r/pingidentity/pingdatagovernancepap).