Use Cases

Protecting PingFederate behind a gateway deployment of PingAccess

Learn how to proxy PingAccess to protect PingFederate in a gateway deployment.

Components

  • PingFederate 9.2

  • PingAccess 5.2

Before you begin

Make sure the components are installed and running.

This configuration does not support X.509 and IWA connections.

Exporting the PingFederate certificate that protects the runtime listener

Steps

  1. Log in to your PingFederate administration console.

  2. Go to Security → SSL Server Certificates.

  3. Go to Select Action → Export.

  4. Select Certificate Only and click Next.

  5. Click Export.

  6. Save the certificate file to a location you can easily reference.

Importing the certificate in PingAccess

Steps

  1. Log in to your PingAccess administration console.

  2. Go to Security → Certificates.

  3. To import a new certificate, click the plus icon ().

  4. Under Name, specify PF.

  5. Click Choose File and select the certificate from Step 1. Click Add.

  6. Drag the imported certificate from the Certificates pane to the Trusted Certificate Groups pane.

Creating a PingAccess site to protect PingFederate

Steps

  1. Go to Sites → Add Site.

  2. Create a PingAccess site using the following table as a guide.

    Parameter Example Value

    Name

    PF

    Targets

    <load balancer VIP>:443

    Secure

    Yes

    Trusted Certificate Group

    PF

    All other parameters

    Accept the defaults

  3. Click Save.

Creating a PingAccess virtual host

Steps

  1. Go to Access → Virtual Hosts.

  2. Click Add Virtual Host.

  3. Enter the host name that you will use to access the PingFederate runtime engines using the following table as a guide.

    Parameter Example Value

    Host

    https://<pingfederate_host>

    Port

    443

    Agent Resource Cache TTL (S)

    900

    All other parameters

    Accept the defaults

  4. Click Save.

Creating a PingAccess application leveraging the site and the virtual host

Steps

  1. Go to Applications → Add Application.

  2. Enter the applicable parameters using the following table as a guide.

    Parameter Example Value

    Name

    PF

    Context Root

    /

    Virtual Host(s)

    https://<pingfederate_host>:443

    Application Type

    Web

    Web Session

    None

    Web Identity Mapping

    None

    Destination

    Site

    Site

    PF

    Require HTTPS

    Yes

    Enabled

    Yes

    All other parameters

    Accept the defaults

  3. Click Save.

Creating a key pair associated with the new PingFederate host name

Steps

  1. Go to Security → Key Pairs.

  2. Click Add Key Pair and enter the applicable parameters using the following table as a guide.

    Parameter Example Value

    Alias

    PF Master

    Common Name

    https://<pingfederate_host>

    Subject Alternative Name - DNS Name

    https://<pingfederate_host>

    All other parameters

    Accept the defaults

    To avoid a "Not Secure" warning in your browser, a signed certificate is required. Use PingFederate to generate a certificate signing request (CSR) and import the CSR response, as described in Manage SSL server certificates. The certificate can be self-signed or signed by a certificate authority.

  3. Click Save.

Tying the newly imported key pair to the associated virtual host

Steps

  1. Go to Networking → Listeners.

  2. In the Engine Key Pairs pane, change PF Master to the base URL of the PingAccess virtual host and then click Save. Accept the defaults for all other parameters.

Setting PingAccess’s token provider to match the PingAccess application

Steps

  1. Go to System → Token Provider.

  2. Create the token provider using the following table as a guide.

    The host and port must match the host and port settings in Creating a PingAccess virtual host.

    Parameter Example Value

    Host

    https://<pingfederate_host>

    Port

    443

    Audit Level

    Yes

    All other parameters

    Accept the defaults

  3. Click Save.

Updating PingFederate’s base URL

Steps

  1. Log in to your PingFederate administration console.

  2. Go to System → Protocol Settings → Federation Info and change Base URL to the base URL and port of the PingAccess virtual host. Click Save.

    If the base URL is invalid, PingFederate will not be accessible. Make sure the base URL is valid before proceeding.

Verifying that access to PingFederate routes through PingAccess

Steps

  1. In a browser window, go to https://Virtual Host and Port/pf/heartbeat.ping. This should produce a valid response from PingFederate.

  2. In a browser window, go to https://Virtual Host and Port/pa/heartbeat.ping. This should produce a valid response from PingAccess.