Page created: 24 Jul 2019
|
Page updated: 28 Feb 2022
| 2 min read
Agentless Other Documents Integrations Language English Integration Content Type Product documentation Audience Administrator
You can configure certificate authentication between your application and PingFederate.
-
Check that the client certificate issuer is a trusted root certificate authority
(CA) in PingFederate. If not, add the intermediate
and root CA certificates.
For help, see Managing trusted certificate authorities in the PingFederate documentation.
-
In PingFederate, export your signing certificate.
- On the PingFederate admin console, go to Security > Signing & Decryption Keys & Certificates.
- For the certificate that you want to use, in the Action column, click Export.
- On the Export Certificate screen, click Next.
- On the Export & Summary screen, click Export.
- Open the ***********.crt file in a text editor.
-
Import your PingFederate signing certificate
into your application.
Tip: You can use OpenSSL to convert the PCKS12 certificate and key to PEM format. Use one of the following commands.
PEM certificate only:
openssl pkcs12 -in <certname>.p12-passin pass:<password> -nokeys -out <certname>.cert.pem
PEM key only:
openssl pkcs12 -in <certname>.p12 -passin pass:<password> -nocerts -out <certname>.key.pem
PEM certificate and key:
openssl pkcs12 -in <certname>.p12 -passin pass:<password> -out <certname>.certandkey.pem
- If you have already configured a Reference ID Adapter instance, update it by setting the Allowed Subject DN field, the Allowed Issuer DN field, or both to match the client certificate.
-
Configure a second port for PingFederate to
receive back-channel calls.
- Stop PingFederate.
- Open the <pf_install>/pingfederate/bin/run.properties file for editing.
-
Change the value of the
pf.secondary.https.port
property to a valid port number, such as 9032.For information about this property, see Configuring PingFederate properties in the PingFederate documentation.
- Save the file.
- Start PingFederate.
-
Configure your application to send requests to the Reference ID Adapter endpoints using
the back-channel port.
POST https://pf.example.com:9032/ext/ref/dropoff HTTP/1.1 Content-Length: 20 Content-Type: application/json ping.instanceId: sample_adapter { "subject":"jsmith" }
-
Configure your application to send the client certificate with the request.
Tip:
For help exporting your PingFederate certificate, see Manage SSL server certificates in the PingFederate documentation.
The following code uses PHP to send the client certificate:
$client_cert = dirname(__FILE__).'/sample_cert.cert.pem'; $client_key = dirname(__FILE__).'/sample_cert.key.pem'; $client_key_password = ‘sample_key_password’; $http_headers[] = 'ping.instanceId: '.$adapter_instance_id; // PHP can use curl to make the HTTP calls to the pickup endpoint $crl = curl_init(); // Dropoff URL curl_setopt($crl, CURLOPT_URL, $dropoff_loc); curl_setopt($crl, CURLOPT_SSLCERT, $client_cert); curl_setopt($crl, CURLOPT_SSLKEYTYPE, 'PEM'); curl_setopt($crl, CURLOPT_SSLKEY, $client_key); curl_setopt($crl, CURLOPT_SSLKEYPASSWD, $client_key_password); … $result = curl_exec($crl);