--- title: Connecting PingFederate to PingAccess using the OIDC protocol description: Configure authentication between PingFederate and PingAccess using the OpenID Connect (OIDC) protocol. component: solution-guides page_id: solution-guides:data_and_application_security_use_cases:htg_connect_pf_pa_oidc canonical_url: https://docs.pingidentity.com/solution-guides/data_and_application_security_use_cases/htg_connect_pf_pa_oidc.html revdate: July 18, 2022 section_ids: components: Components before-you-begin: Before you begin connecting-oauth-2-0-and-openid-connect-with-pingaccess: Connecting OAuth 2.0 and OpenID Connect with PingAccess steps: Steps configuring-pingaccess-to-protect-a-web-application: Configuring PingAccess to protect a web application steps-2: Steps performing-final-steps: Performing final steps steps-3: Steps result: Result: --- # Connecting PingFederate to PingAccess using the OIDC protocol Configure authentication between PingFederate and PingAccess using the OpenID Connect (OIDC) protocol. ## Components * PingFederate 10.3 * PingAccess 6.3 ## Before you begin * Verify that the components are installed and running. * Have an application that you want to protect by using PingAccess. ## Connecting OAuth 2.0 and OpenID Connect with PingAccess ### Steps 1. Sign on to your PingFederate administrative console. 2. Enable OAuth 2.0 and OpenID Connect as described in [Configuring authorization server settings](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=488). Go to **Server Configuration → Server Settings → Roles & Protocols** and select **Enable OAuth 2.0 Authorization Server (AS) Role** and **OpenID Connect**. 3. Set up your IdP adapters for PingAccess. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Detailed steps differ by deployment. For more information, see [Managing IdP adapters](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=396). | 4. Configure scope values and scope descriptions for OAuth Authorization Server settings as described in [Defining Scopes](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=506) using the following values. | Scope Value | Scope Description | | ----------- | ----------------- | | **address** | address | | **email** | email | | **openid** | openid | | **phone** | phone | | **profile** | profile | | | | | - | ---------------------------------------------------------------------------------------- | | | In the **Default Scopes** field, enter a default scope description for your environment. | 5. Configure access token management for OAuth Authorization Server settings as described in [Configuring authorization server settings](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=488) using the following values. | Parameter | Value | | ----------------------------------- | --------------------------------------- | | **Instance Name** | GeneralAccessToken | | **Instance ID** | **GeneralAccessToken** | | **Type** | **Internally Managed Reference Tokens** | | **Instance Configuration** | Accept the defaults. | | **Session Validation** | | | **Access Token Attribute Contract** | **UserName** | | **Resource URIs** | Accept the defaults. | | **Access Control** | Accept the defaults. | 6. Configure your OpenID Connect policy as described in [Configuring OpenID Connect policies](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=587) using the following values. | Parameter | Value | | ------------------------------------------- | ---------------------- | | **Policy ID** | **OIDC** | | **Name** | **OIDC** | | **Access Token Manager** | **GeneralAccessToken** | | **Attribute Contract** | Accept the defaults. | | **Attribute Sources & Lookup** | Accept the defaults. | | **Contract Fulfillment Attribute Contract** | **sub** | | **Contract Fulfillment Source** | **Access Token** | | **Issuance Criteria** | Accept the defaults. | 7. Configure a PingAccess Resource Server OAuth client as described in [Configuring OAuth Clients](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=529) using the following values. | Parameter | Value | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Client ID** | **pa\_rs** | | **Name** | **PingAccess Resource Server** | | **Client Secret** | Generate a unique client secret. Although you can manually enter a client secret, allowing PingFederate to generate the secret provides better security. | | **Allowed Grant Types** | **Access Token Validation (Client is a Resource Server)** | | All other parameters | Accept the defaults. | 8. Configure a PingAccess Web Management OAuth client as described in [Configuring OAuth Clients](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=529) using the following values. | Parameter | Value | | --------------------------------- | ----------------------------------------------------------------------------------------------------- | | **Client ID** | **pa\_wam** | | **Name** | **PingAccess Web Management** | | **Client Authentication** | The client secret that you generated for the PingAccess Resource Server should fill in automatically. | | **Redirection URI** | https\://*\*:*\*/pa/oidc/cb | | **Bypass Authorization Approval** | **Bypass** | | **Allowed Grant Types** | **Authorization Code** | | All other parameters | Accept the defaults. | 9. Verify all client settings and click **Save** on the **Client Management** tab. 10. Configure your IdP adapters to work with OAuth as described in [Managing IdP adapter grant mapping](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=543) using the following values | Parameter | Value | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | | **Source Adapter Instance** | Select the HTML Form adapter or adapters that you want to use for PingAccess. | | **Attribute Sources & User Lookup** | For each adapter, accept the defaults. | | **Contract Fulfillment** | For each adapter, select the adapter as your source and set your unique identifiers for **USER\_KEY** and **USER\_NAME**. | | **Issuance Criteria** | Accept the defaults. | 11. Map your address tokens for OAuth as described in [Managing access token mappings](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=564) using the following values. | Parameter | Value | | ----------------------------------- | ------------------------------------------------------------------------------------------------ | | **Attribute Sources & User Lookup** | Accept the defaults. | | **Contract Fulfillment** | For the username, select **Persistent Grant** as your source and set the value as **USER\_KEY**. | | **Issuance Criteria** | Accept the defaults. | 12. Verify your settings on the **Summary** tab, then click **Save**. 13. Export the SSL certificate to use for connecting securely with PingAccess as described in [Manage SSL server certificates](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=617). ## Configuring PingAccess to protect a web application ### Steps 1. Add your PingFederate server certificate under **Trusted Certificate Groups** as described in [Importing certificates and create a trusted certificate group](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=519). 2. Configure PingFederate runtime settings as described in [Configuring the token provider](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=520) using the following values. | Parameter | Value | | ----------------------------- | ------------------------------------------------------------------ | | **Host** | Enter your PingFederate host name. | | **Port** | Enter your PingFederate port number. | | **Secure** | **Yes** | | **Trusted Certificate Group** | Select the group to which you added your PingFederate certificate. | | All other parameters | Accept the defaults. | 3. Configure PingFederate administration settings as described in [Configuring the token provider](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=520) using the following values. | Parameter | Value | | ----------------------------- | ------------------------------------------------------------------ | | **Host** | Enter your PingFederate host name. | | **Port** | Enter your PingFederate port number. | | **Admin Username** | Enter the login name for your PingFederate administrator. | | **Admin Password** | Enter the password for your PingFederate administrator. | | **Secure** | **Yes** | | **Trusted Certificate Group** | Select the group to which you added your PingFederate certificate. | | All other parameters | Accept the defaults. | 4. Configure PingFederate OAuth server settings as described in [Configuring the token provider](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=520) using the following values. | Parameter | Value | | -------------------------- | ------------------------- | | **Client ID** | **pa\_rs** | | **Client Secret** | Enter your client secret. | | **Subject Attribute Name** | **UserName** | | All other parameters | Accept the defaults. | 5. Go to **Main → Sites → Sites** to add a site for PingFederate to protect. Detailed steps differ by deployment. For more information, see [Adding sites](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=256). 6. Add an identity mapping for your site as described in [Creating JWT identity mappings](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=304) using the following values. | Parameter | Value | | -------------------- | ------------------------------------------------------------------------------------------------ | | **Name** | Enter a name for the identity mapping. | | **Type** | Select **Header Identity Mapping**, and create a sub attribute with a header name of **X-USER**. | | All other parameters | Accept the defaults. | 7. Add a web session for your site as described in [Creating web sessions](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=308) using the following values. | Parameter | Value | | ----------------------------- | ---------------------------------------- | | **Name** | Enter a name for your web session. | | **Cookie Type** | **Encrypted JWT** | | **Audience** | **global** | | **OpenID Connect Login Type** | **Code** | | **Client ID** | **pa\_wam** | | **Client Secret** | Enter your organization's client secret. | | All other parameters | Accept the defaults. | 8. Add an application to protect within the site as described in [Adding application resources](https://cdn-docs.pingidentity.com/archive/pdf/pingaccess/pingaccess-63.pdf#page=245). 9. Enable your application. ## Performing final steps ### Steps 1. Test your application in a web browser. Access your application behind PingAccess (for example, https\://localhost:3000/*\*). #### Result: You're redirected to PingFederate to authenticate and can access the application. 2. Add header printing to your application to verify that your application has access to the data that PingAccess is sending. Detailed steps differ by application and programming language. The following resources provide more information for specific programming languages. | Language | Sample Header Code | | -------- | ------------------------------------------------------------------------------------------------- | | Java | `https://docs.oracle.com/en/java/javase/21/docs/api/java.net.http/java/net/http/HttpHeaders.html` | | C# | `https://learn.microsoft.com/dotnet/api/system.net.httpwebresponse.getresponseheader` | | PHP | `http://php.net/manual/en/function.headers-list.php` | | Drupal | `https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drupal_get_http_header/7.x` | 3. Remove any local login to your application because your application is now behind PingAccess. Detailed steps differ by application and programming language. 4. Configure your application to use headers for login. Detailed steps differ by application and programming language.