Configuring OIDC SSO to PingFederate from an external IdP - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

You can configure OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. single sign-on (SSO)single sign-on (SSO)sso The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without re-authenticating. for signing on to the PingFederate administrative console.

Make sure you have the following in place:

  • A valid signing certificate. See Manage digital signing certificates and decryption keys.
  • An openID and a profile scope. See Defining scopes.
  • A policy contract with at least the following attributes: sub, admin_role, iss, memberOf. See Managing policy contracts.
  • An identity provider (IdP)identity provider (IdP)IdP A service that manages identity information and provides authentication services to relying clients or service providers (SPs) within a federated or distributed network. connection in your PingFederate instance with the following attributes: SAML_SUBJECT, memberOf – fulfilled by the policy contract authentication source. See Managing IdP connections.
  • An service provider (SP)service provider (SP)SP In SAML, an entity that receives and accepts an authentication assertion issued by an identity provider (IdP), typically for the purpose of allowing access to a protected resource. connection in your external IdP with the following attributes: SAML_SUBJECT, memberOf – fulfilled by whichever authentication source is appropriate and using whatever authentication flows you require (for example, username/password and multi-factor authentication (MFA)multi-factor authentication (MFA)MFA An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.). See Accessing SP connections.

Configuring OIDC SSO for the PingFederate administrative console allows you to use an external IdP to authenticate administrative users. You can also use OIDC SSO to enable MFA because the administrative users are taken through an authentication policy flow that invokes an MFA adapter. Other console authentication types don't use authentication policies.