To configure Delegated Admin as a new client:

  1. Sign on to the PingFederate administrative console.
  2. Go to APPLICATIONS > OAuth > Clients.
  3. Click Add Client.
  4. For both the CLIENT ID and NAME, specify dadmin.
    Note: Do not set a CLIENT SECRET.
  6. For REDIRECT URIS, specify the URI appropriate for your environment based on the following table and click Add.
    For Delegated Admin on a PingDirectory server or a PingDirectoryProxy server https://<server-host>:1443/delegator/*
    For Delegated Admin on a web server hosted locally http://localhost:5000/*
  7. Make the following selections.
    • In the BYPASS AUTHORIZATION APPROVAL section, select Bypass.
    • In the EXCLUSIVE SCOPES section, select Allow Exclusive Scopes and then select urn:pingidentity:directory-delegated-admin.
    • In the ALLOWED GRANT TYPES section, select Implicit.
    • For the DEFAULT ACCESS TOKEN MANAGER, select the one that was created previously for Delegated Admin.
    • In the OPENID CONNECT section, select the OIDC policy that was previously created.
  8. Click Save.
After completing the previous steps, display the logged-in administrator in Delegated Admin and the administrator who generated a report (in the downloaded report).
  1. Add the profile scope and ensure it is available to the OAuth client used for the Delegated Admin application.
  2. Add and fulfill the name attribute as part of the contract for both the access token and the ID token that are supplied to the Delegated Admin application.
  3. Set the PROFILE_SCOPE_ENABLED configuration variable for Delegated Admin in the config.js file to true.

    For example:
     * Configuration wrapper object for Delegated Admin
    window.PD_DADMIN_CONFIG = {
       * Set to true if the "profile" scope is supported for the Delegated Admin OIDC client on
       * PingFederate and you wish to use it to show the current user's name in the navigation.
       * DEFAULT: false