Use Cases

Connecting PingFederate to PingAccess using the OIDC protocol

Configure authentication between PingFederate and PingAccess using the OpenID Connect (OIDC) protocol.

Components

  • PingFederate 10.3

  • PingAccess 6.3

Before you begin

  • Verify that the components are installed and running.

  • Have an application that you want to protect by using PingAccess.

Connecting OAuth 2.0 and OpenID Connect with PingAccess

Steps

  1. Sign on to your PingFederate administrative console.

  2. Enable OAuth 2.0 and OpenID Connect as described in Enabling the OAuth AS role.

    Go to Server Configuration → Server Settings → Roles & Protocols and select Enable OAuth 2.0 Authorization Server (AS) Role and OpenID Connect.

  3. Set up your IdP adapters for PingAccess.

    Detailed steps differ by deployment. For more information, see Managing IdP adapters.

  4. Configure scope values and scope descriptions for OAuth Authorization Server settings as described in Defining Scopes using the following values.

    Scope Value Scope Description

    address

    address

    email

    email

    openid

    openid

    phone

    phone

    profile

    profile

    In the Default Scopes field, enter a default scope description for your environment.

  5. Configure access token management for OAuth Authorization Server settings as described in Configuring authentorization server settings using the following values.

    Parameter Value

    Instance Name

    GeneralAccessToken

    Instance ID

    GeneralAccessToken

    Type

    Internally Managed Reference Tokens

    Instance Configuration

    Accept the defaults.

    Session Validation

    Access Token Attribute Contract

    UserName

    Resource URIs

    Accept the defaults.

    Access Control

    Accept the defaults.

  6. Configure your OpenID Connect policy as described in Configuring OpenID Connect policies using the following values.

    Parameter Value

    Policy ID

    OIDC

    Name

    OIDC

    Access Token Manager

    GeneralAccessToken

    Attribute Contract

    Accept the defaults.

    Attribute Sources & Lookup

    Accept the defaults.

    Contract Fulfillment Attribute Contract

    sub

    Contract Fulfillment Source

    Access Token

    Issuance Criteria

    Accept the defaults.

  7. Configure a PingAccess Resource Server OAuth client as described in Configuring OAuth Clients using the following values.

    Parameter Value

    Client ID

    pa_rs

    Name

    PingAccess Resource Server

    Client Secret

    Generate a unique client secret.

    Although you can manually enter a client secret, allowing PingFederate to generate the secret provides better security.

    Allowed Grant Types

    Access Token Validation (Client is a Resource Server)

    All other parameters

    Accept the defaults.

  8. Configure a PingAccess Web Management OAuth client as described in Configuring OAuth Clients using the following values.

    Parameter Value

    Client ID

    pa_wam

    Name

    PingAccess Web Management

    Client Authentication

    The client secret that you generated for the PingAccess Resource Server should fill in automatically.

    Redirection URI

    https://<PA_HOST>:<PA_USER_PORT>/pa/oidc/cb

    Bypass Authorization Approval

    Bypass

    Allowed Grant Types

    Authorization Code

    All other parameters

    Accept the defaults.

  9. Verify all client settings and click Save on the Client Management tab.

  10. Configure your IdP adapters to work with OAuth as described in Managing IdP adapter grant mapping using the following values

    Parameter Value

    Source Adapter Instance

    Select the HTML Form adapter or adapters that you want to use for PingAccess.

    Attribute Sources & User Lookup

    For each adapter, accept the defaults.

    Contract Fulfillment

    For each adapter, select the adapter as your source and set your unique identifiers for USER_KEY and USER_NAME.

    Issuance Criteria

    Accept the defaults.

  11. Map your address tokens for OAuth as described in Managing access token mappings using the following values.

    Parameter Value

    Attribute Sources & User Lookup

    Accept the defaults.

    Contract Fulfillment

    For the username, select Persistent Grant as your source and set the value as USER_KEY.

    Issuance Criteria

    Accept the defaults.

  12. Verify your settings on the Summary tab, then click Save.

  13. Export the SSL certificate to use for connecting securely with PingAccess as described in Manage SSL server certificates.

Configuring PingAccess to protect a web application

Steps

  1. Add your PingFederate server certificate under Trusted Certificate Groups as described in Importing certificates and create a trusted certificate group.

  2. Configure PingFederate runtime settings as described in Configuring the token provider using the following values.

    Parameter Value

    Host

    Enter your PingFederate host name.

    Port

    Enter your PingFederate port number.

    Secure

    Yes

    Trusted Certificate Group

    Select the group to which you added your PingFederate certificate.

    All other parameters

    Accept the defaults.

  3. Configure PingFederate administration settings as described in Configuring the token provider using the following values.

    Parameter Value

    Host

    Enter your PingFederate host name.

    Port

    Enter your PingFederate port number.

    Admin Username

    Enter the login name for your PingFederate administrator.

    Admin Password

    Enter the password for your PingFederate administrator.

    Secure

    Yes

    Trusted Certificate Group

    Select the group to which you added your PingFederate certificate.

    All other parameters

    Accept the defaults.

  4. Configure PingFederate OAuth server settings as described in Configuring the token provider using the following values.

    Parameter Value

    Client ID

    pa_rs

    Client Secret

    Enter your client secret.

    Subject Attribute Name

    UserName

    All other parameters

    Accept the defaults.

  5. Go to Main → Sites → Sites to add a site for PingFederate to protect.

    Detailed steps differ by deployment. For more information, see Adding sites.

  6. Add an identity mapping for your site as described in Creating JWT identity mappings using the following values.

    Parameter Value

    Name

    Enter a name for the identity mapping.

    Type

    Select Header Identity Mapping, and create a sub attribute with a header name of X-USER.

    All other parameters

    Accept the defaults.

  7. Add a web session for your site as described in Creating web sessions using the following values.

    Parameter Value

    Name

    Enter a name for your web session.

    Cookie Type

    Encrypted JWT

    Audience

    global

    OpenID Connect Login Type

    Code

    Client ID

    pa_wam

    Client Secret

    Enter your organization’s client secret.

    All other parameters

    Accept the defaults.

  8. Add an application to protect within the site as described in Adding applications.

  9. Enable your application.

Performing final steps

Steps

  1. Test your application in a web browser.

    Access your application behind PingAccess (for example, https://localhost:3000/<APP_NAME>).

    Result:

    You’re redirected to PingFederate to authenticate and can access the application.

  2. Add header printing to your application to verify that your application has access to the data that PingAccess is sending.

    Detailed steps differ by application and programming language. The following code samples illustrate header printing for the specified programming languages.

    Language Sample Header Code

    Java

    C#

    PHP

    Drupal

  3. Remove any local login to your application because your application is now behind PingAccess.

    Detailed steps differ by application and programming language.

  4. Configure your application to use headers for login.

    Detailed steps differ by application and programming language.