Configure an OAuth client in PingFederate for PingIntelligence Dashboard single sign-on (SSO).
Create and configure an OAuth client in PingFederate with the following
Option Description Client ID
Create an OAuth client in PingFederate with Client ID as PingIntelligence. You can use any other value for Client ID in place of PingIntelligence.
The current release of PingIntelligence Dashboard supports NONE and CLIENT SECRET authentication methods.
Client TLS Certificate authentication and Private Key JWT based authentication are not supported by the Dashboard.
When CLIENT SECRET is selected as the client authentication method, you can generate a random client secret or use a custom secret, which is used by PingIntelligence Dashboard for client authentication.
Require Signed Request
Do not enable.Important:
PingIntelligence Dashboard does not support signed requests.
Set the redirection URI in the PingFederate OAuth client configuration. The path in the URI is as follows:
Do not change the path in the URI, just substitute the hostname. For example,
The following Claims must be configured in PingFederate, and are mandatory for a successful authentication of a logged in user in PingIntelligence Dashboard.
- A Claim for Subject Identifier, which should provide the unique identifier for the logged in user.
- A Claim for providing First Name.
- A Claim for providing Last Name.
- A Claim for providing the Role information.
PingIntelligence Dashboard fetches the claims for an authenticated User from the PingFederate UserInfo endpoint.
In PingIntelligence 4.4, the supported values for the Role Claim are ADMIN and REGULAR. They are case-sensitive, if a blank or any other value is configured, SSO will fail. Roles assigned to Users with in an enterprise should be mapped to ADMIN or REGULAR.
PingIntelligence 4.4.1 and later versions support both single or multiple values for the Role Claim. If you are configuring the Role Claim with a single value then the allowed values are ADMIN and REGULAR and they are case-sensitive.If multiple values are sent, then one of the values must end with either of the following, and the values are not case-sensitive:
The Scopes required to be configured in PingFederate for PingIntelligence Dashboard application are:
- Mandatory Scopes-
- Additional Scopes
The Claims configured for PingIntelligence Dashboard can be mapped to the Mandatory Scope profile or to one or more Additional Scopes.
Allowed Grant Types
Enable Authorization Code. PingIntelligence Dashboard supports only Authorization Code as the grant type.
Restrict Response Types
If enabled, select
Proof Key For Code Exchange (PKCE)
Do not enable.Important:
PingIntelligence Dashboard does not support PKCE.
ID Token Signing Algorithm
The supported ID Token Signing Algorithms are:
- RSA using SHA-256
ID Token Key Management Encryption Algorithm
Select No Encryption because encryption is not supported by PingIntelligence Dashboard.