Connecting OAuth 2.0 and OpenID Connect with PingAccess
Steps
-
Sign on to your PingFederate administrative console.
-
Enable OAuth 2.0 and OpenID Connect as described in Enabling the OAuth AS role.
Go to Server Configuration → Server Settings → Roles & Protocols and select Enable OAuth 2.0 Authorization Server (AS) Role and OpenID Connect.
-
Set up your IdP adapters for PingAccess.
Detailed steps differ by deployment. For more information, see Managing IdP adapters.
-
Configure scope values and scope descriptions for OAuth Authorization Server settings as described in Defining Scopes using the following values.
Scope Value Scope Description address
address
email
email
openid
openid
phone
phone
profile
profile
In the Default Scopes field, enter a default scope description for your environment.
-
Configure access token management for OAuth Authorization Server settings as described in Configuring authentorization server settings using the following values.
Parameter Value Instance Name
GeneralAccessToken
Instance ID
GeneralAccessToken
Type
Internally Managed Reference Tokens
Instance Configuration
Accept the defaults.
Session Validation
Access Token Attribute Contract
UserName
Resource URIs
Accept the defaults.
Access Control
Accept the defaults.
-
Configure your OpenID Connect policy as described in Configuring OpenID Connect policies using the following values.
Parameter Value Policy ID
OIDC
Name
OIDC
Access Token Manager
GeneralAccessToken
Attribute Contract
Accept the defaults.
Attribute Sources & Lookup
Accept the defaults.
Contract Fulfillment Attribute Contract
sub
Contract Fulfillment Source
Access Token
Issuance Criteria
Accept the defaults.
-
Configure a PingAccess Resource Server OAuth client as described in Configuring OAuth Clients using the following values.
Parameter Value Client ID
pa_rs
Name
PingAccess Resource Server
Client Secret
Generate a unique client secret.
Although you can manually enter a client secret, allowing PingFederate to generate the secret provides better security.
Allowed Grant Types
Access Token Validation (Client is a Resource Server)
All other parameters
Accept the defaults.
-
Configure a PingAccess Web Management OAuth client as described in Configuring OAuth Clients using the following values.
Parameter Value Client ID
pa_wam
Name
PingAccess Web Management
Client Authentication
The client secret that you generated for the PingAccess Resource Server should fill in automatically.
Redirection URI
https://<PA_HOST>:<PA_USER_PORT>/pa/oidc/cb
Bypass Authorization Approval
Bypass
Allowed Grant Types
Authorization Code
All other parameters
Accept the defaults.
-
Verify all client settings and click Save on the Client Management tab.
-
Configure your IdP adapters to work with OAuth as described in Managing IdP adapter grant mapping using the following values
Parameter Value Source Adapter Instance
Select the HTML Form adapter or adapters that you want to use for PingAccess.
Attribute Sources & User Lookup
For each adapter, accept the defaults.
Contract Fulfillment
For each adapter, select the adapter as your source and set your unique identifiers for USER_KEY and USER_NAME.
Issuance Criteria
Accept the defaults.
-
Map your address tokens for OAuth as described in Managing access token mappings using the following values.
Parameter Value Attribute Sources & User Lookup
Accept the defaults.
Contract Fulfillment
For the username, select Persistent Grant as your source and set the value as USER_KEY.
Issuance Criteria
Accept the defaults.
-
Verify your settings on the Summary tab, then click Save.
-
Export the SSL certificate to use for connecting securely with PingAccess as described in Manage SSL server certificates.