With PingCentral, SSO is disabled by default. To configure PingCentral for SSO, you need to enable it, configure OIDC properties to access OIDC configuration information, define an OAuth client at the OpenID provider, and configure PingCentral role mapping.
Enabling SSO
To enable SSO, access the application.properties file, which resides in the conf folder in the PingCentral installation directory.
Uncomment the following property and set the value to true:
pingcentral.sso.oidc.enabled=true
Configuring OIDC
To configure OIDC, locate the following property, uncomment it, and define the Issuer URI:
pingcentral.sso.oidc.issuer-uri=https://sso.mycompany.com:9031
In this example, PingCentral will attempt to access OIDC configuration information at:
https://sso.mycompany.com:9031/.well-known/openid-configuration
PingCentral will fail to start if it cannot access this information. Ensure the OpenID provider is running and accessible before starting PingCentral. In the future, if changes are made on the OpenID Provider that affect the OIDC configuration information used for SSO, PingCentral must be restarted to incorporate it.
Defining the OAuth client
An OAuth client must be defined for PingCentral at the OpenID provider. Locate the following property, uncomment it, and provide the client ID and client secret for the OAuth client:
pingcentral.sso.oidc.client-id=<CLIENT_ID>
pingcentral.sso.oidc.client-secret=<CLIENT_SECRET>
It is highly recommended that you secure the secret using the obfuscation script available in bin/obfuscate, and by using output ciphertext rather than the cleartext secret.
Configuring PingCentral role mapping
In PingCentral version 1.0, two user roles are defined: the IAM Administrator, and the Application Owner. An initial IAM Administrator is created by default. That user can add other users to PingCentral and assign them to the appropriate role.
When SSO is enabled, the OpenID Provider must indicate the PingCentral role via a claim defined in the ID token or UserInfo endpoint. If this claim is not found, or its value is nonsensical, the user is denied access to PingCentral, and auto-provisioning does not occur.
With PingFederate, an attribute can be mapped into the appropriate claim. The claim name and values are configurable, as shown in this example:
# The name of the claim which identifies the PingCentral role associated with the user.
#pingcentral.sso.oidc.role-claim-name=PingCentral-Role
# The expected value of the role claim which indicates the user is a PingCentral administrator.
#pingcentral.sso.oidc.role-claim-value-admin=IAM-Admin
# The expected value of the role claim which indicates the user is a PingCentral application owner (non-administrator).
#pingcentral.sso.oidc.role-claim-value-app-owner=Application-Owner
If these defaults can be used with the OpenID Provider, no further configuration is required. Otherwise, the claim name and/or values can be set to synchronize PingCentral to the OpenID Provider configuration, as shown in this example:
pingcentral.sso.oidc.role-claim-name=UserRole
pingcentral.sso.oidc.role-claim-value-admin=Admin
pingcentral.sso.oidc.role-claim-value-app-owner=Developer