Enabling certificate-based authentication - PingFederate

Page created: 12 Sep 2019 |

Page updated: 19 Mar 2020

| 2 min read

PingFederate 10.0 Product Software Deployment Method Product documentation Content Type Administrator Audience Configuration User task

To enable client-certificate authentication, PingFederate administrative users must have imported into their web browsers an X.509 key and certificate suitable for user authentication. In addition, the corresponding root CA certificate(s) must be contained in the Java runtime or the PingFederate trusted store.

Other setup steps, including designating user permissions, must be completed by using configuration files located in the <pf_install>/pingfederate/bin directory.

Note that the roles configured in the properties file apply to both the administrative console and the administrative API.

If not already done, import the necessary client key and certificate into the web browser used to access PingFederate.
Log on normally (using username and password) to the PingFederate console as a user with permissions that include the Crypto Admin role.
Ensure the client-certificate's root CA and any intermediate CA certificates are contained in the trusted store (either for the Java runtime or PingFederate, or both).

You can import a certificate to PingFederate in the Security > Trusted CAs screen.
Tip:
You may wish to click the Serial number and copy the Issuer DN to use in a couple steps later.
In the <pf_install>/pingfederate/bin/run.properties file, change the value of the pf.console.authentication property as shown below:
pf.console.authentication=cert
In the <pf_install>/pingfederate/bin/cert_auth.properties file, enter the Issuer DN for the client certificate as a value for the property: rootca.issuer.x
where x is a sequential number starting at 1.
If you copied the Issuer DN a couple steps earlier, paste this value.
See the comments in the file for instructions and additional information.
Note that the roles configured in the properties file apply to both the administrative console and the administrative API.
Repeat the previous step for any additional CAs as needed.
Enter the certificate user's Subject DN for the applicable PingFederate permission roles, as described in the properties file.

Important:
The configuration values are case-sensitive.
Repeat the previous step for all users as needed.

Note:
Other settings in the properties file are used to display the user's ID (the Subject DN) in abbreviated form in the administrative console.
Start or restart PingFederate.

Enabling certificate-based authentication - PingFederate - 10.0

PingFederate Server