The delegated administrator logs on to Delegated Admin through the PingFederate Server, which is configured as the authentication server and OpenID Connect (OIDC) provider. PingFederate validates the user's credentials against PingDirectory Server, encapsulates information claims about the user's identity, and issues an access token to Delegated Admin, which presents the token to PingDirectory Server in the HTTP Authorization request header.

Interaction with PingDirectory Server

PingDirectory Server is configured to accept access tokens by using Access Token Validators. The values that PingFederate Server sets for the access token sub claim must be mappable to a distinguished name (DN) in PingDirectory Server. Setting up an access token validator for use with Delegated Admin requires some coordination with the server configuration. In the suggested default configuration, the access token contains the entryUUID of the administrator user entry in the sub claim. This value is mapped back to a PingDirectory Server entry by using an Exact Match Identity Mapper.

Authorization by PingDirectory Server

After validation, PingDirectory Server checks the Delegated Admin configuration for authorization of the delegated administrator. Users or groups of users are authorized as delegated administrators in the PingDirectory Server Administrator Console, or with the dsconfig tool.

Configure authentication

Before installing and configuring Delegated Admin, configure the following OAuth clients within PingFederate:

  • Delegated Admin, which obtains an OIDC token that describes the authenticated user
  • PingDirectory Server itself, which calls PingFederate to validate the OIDC token that Delegated Admin passes to it

Specifically, the Delegated Admin OAuth client must be configured as follows:

  • The client ID is dadmin and requires no client secret key.
  • The redirect URL is https://webserverHost:httpPort/delegator/*, where webserverHost:httpPort represents the public host and port of the web application.
    Note: If you specify 443 as the httpPort number, some web browsers might strip the value from the URL. In this scenario, we recommend using both of the following redirect URLs:
    • https://webserverHost/delegator/*
    • https://webserverHost:443/delegator/*
  • The grant type is Implicit.
  • The OIDC policy uses JWT tokens, where the entryUUID of the user is passed through the sub claim of the OIDC token.

Configure the PingDirectory Server OAuth client as follows:

  • The client ID is pingdirectory and requires a secret key.
  • The grant type is Access Token Validation.
  • To display the logged-in administrator in Delegated Admin and the administrator who generated a report (in the downloaded report):
    1. Add the profile scope and ensure it is available to the OAuth client used for the Delegated Admin application.
    2. Add and fulfill the name attribute as part of the contract for both the access token and the id token that are supplied to the Delegated Admin application.
    3. Set the PROFILE_SCOPE_ENABLED configuration variable for Delegated Admin in the config.js file to true. For example:
       * Configuration wrapper object for Delegated Admin
      window.PD_DADMIN_CONFIG = {
         * Set to true if the "profile" scope is supported for the Delegated Admin OIDC client on
         * PingFederate and you wish to use it to show the current user's name in the navigation.
         * DEFAULT: false

For more information about configuring PingFederate Server, see Configure PingFederate Server.