The delegated administrator signs on to Delegated Admin through the PingFederate server, which is configured as the authentication server and OpenID Connect (OIDC) provider.
PingFederate validates the user's credentials against the PingDirectory server, encapsulates information claims about the user's identity, and issues an access token to Delegated Admin, which presents the token to the PingDirectory server in the HTTP Authorization request header.
Interaction with the PingDirectory server
The PingDirectory server is configured to accept access tokens by using access token validators. The values that the PingFederate server sets for the access token sub claim must be mappable to a distinguished name (DN) in the PingDirectory server. Setting up an access token validator for use with Delegated Admin requires some coordination with the server configuration. In the suggested default configuration, the access token contains the entryUUID of the administrator user entry in the sub claim. This value is mapped back to a PingDirectory server entry by using an Exact Match Identity Mapper.
Authorization by the PingDirectory server
After validation, the PingDirectory server checks the Delegated Admin configuration for authorization of the delegated administrator. Users or groups of users are authorized as delegated administrators in the PingDirectory server administrative console,or with the dsconfig tool.
One of the prerequisites to installing Delegated Admin is to configure the following OAuth clients within PingFederate:
- Delegated Admin, which obtains an OIDC token that describes the authenticated user. For more information, see Configuring Delegated Admin as a new client (create OAuth client for Delegated Admin).
- The PingDirectory server itself, which calls PingFederate to validate the OIDC token that Delegated Admin passes to it. For more information, see Configuring the PingDirectory server as the token validator (create OAuth client for PingDirectory).