Configuring PingAuthorize Policy Editor to use PingFederate - PingAuthorize - 9.1

PingAuthorize

bundle
pingauthorize-91
ft:publication_title
PingAuthorize
Product_Version_ce
PingAuthorize 9.1
category
ContentType
Product
Productdocumentation
paz-91
pingauthorize
ContentType_ce
Product documentation

Configure the PingAuthorize Policy Editor to use PingFederate for authorization.

Configure PingFederate to handle OpenID Connect requests as described in Configuring PingFederate for PingAuthorize.

Reconfigure a manually installed PingAuthorize Policy Editor to use PingFederate for authorization.

  1. Add the certificate to the Java Trust Store.

    If the certificate chain added to PingFederate uses an intermediate certificate authority that is not trusted by the default Java trust store, you must add the certificate. Use the following command (root permissions are usually required). $JAVA_HOME must be defined as the installation location of the JVM on which the Policy Editor will run.

    keytool -import \
    -file /path/to/IntermediateCA.cer \
    -keystore $JAVA_HOME/jre/lib/security/cacerts \
    -storepass changeit
  2. Reconfigure PingAuthorize to point unauthenticated users to PingFederate.
    1. Stop the application.
      $ bin/stop-server 
      The server was successfully stopped.
    2. Re-run bin/setup to reconfigure the application.
    3. Select OpenID Connect to configure the Policy Editor.
      [/opt/PingAuthorize-PAP]$ bin/setup 
       
      There is an existing configuration file at /config/configuration.yml. Overwrite? (yes /
      no) [no]: yes
      Detected valid license file in server root PingAuthorize.lic
       
      PingAuthorize Policy Editor
      ============================================
       
      How would you like to configure the Policy Editor?
       
          1)  Quickstart (DEMO PURPOSES ONLY): This option configures the server with a form based authentication and
              generates a self-signed server certificate
          2)  OpenID Connect: This option configures the server to use an OpenID Connect provider such as PingFederate
          3)  Cancel the setup
       
      Enter option [1]: 2
       
      On which port should the Policy Editor listen for HTTPS communications? [9443]: 
       
      Enter the fully qualified host name or IP address that users' browsers will use to connect to this GUI [pap.example.com]: pap.example.com
    4. Ensure that the PingFederate discovery endpoint uses the public DNS name of the PingFederate server. In this example, the Policy Editor uses a self-signed SSL certificate.
      Enter the port of the OpenID Connect provider [9031]: 
       
      Enter the fully qualified host name or IP address of the OpenID Connect provider [pap.example.com]: pf.example.com
       
      Certificate server options:
       
          1)  Generate self-signed certificate (recommended for testing purposes only)
          2)  Use an existing certificate located on a Java Keystore (JKS)
          3)  Use an existing certificate located on a PKCS12 keystore
       
      Enter option [1]: 
       
      There already exists a keystore at /config/keystore.p12. Do you want to delete it? (yes / no) [no]: yes
    5. Follow the remaining prompts.
         Setup Summary
      =======================================
      Host Name:        pap.example.com
      Server Port:      9443
      Secure Access:    Self-signed certificate
      Admin Port:       9444
      Periodic Backups: Enabled
      Backup Schedule:  0 0 0 * * ?
       
      Command-line arguments that would set up this server non-interactively:
          setup oidc --pkcs12KeyStorePath config/keystore.p12 --licenseKeyFile PingAuthorize.lic \
               --oidcHostname pf.example.com --oidcPort 9031 --certNickname server-cert --backupSchedule '0 0 0 * * ?' \
               --hostname pap.example.com --port 9443 --generateSelfSignedCertificate --adminPort 9444
       
      What would you like to do?
       
          1)  Set up the server with the parameters above
          2)  Provide the setup parameters again
          3)  Cancel the setup
       
      Enter option [1]: 
       
      Setup completed successfully
       
      Please configure the following values
      =============================================================================================
      PingAuthorize Server - Policy External Server  
        Base URL:                                         https://pap.example.com:9443
        Shared Secret:                                    2222142a754f4838ad1e3dccb6e93940
        Trust Manager Provider:                           Blind Trust
                                                          
      PingFederate - OAuth Client Config                  
        Client ID:                                        pingauthorizepolicyeditor
        CORS Allowed Origin:                              https://pap.example.com:9443
        Redirect URL:                                     https://pap.example.com:9443/idp-callback
       
      Please start the server by running bin/start-server
    6. Restart the application by running bin/start-server.
  3. Verify that you can log into the Policy Editor using OpenID Connect provided by PingFederate.
    1. Go to the Policy Editor, for example, https://pap.example.com:9443. Your browser should be redirected into the OAuth flow.
    2. Click Click to Sign In.
    3. Sign on with your user name and password.

      The sample configuration in this document creates an identity with the user name user.20 and password password.

    4. Once authenticated, PingFederate will prompt the user with the scopes associated with the OAuth client. Check all of them to continue.

      A screen capture of the Request for Approval window with all scope check boxes selected.
    You are now authenticated and authorized to view the Policy Editor.