Protecting PingFederate behind a gateway deployment of PingAccess
Learn how to proxy PingAccess to protect PingFederate in a gateway deployment.
Before you begin
Make sure the components are installed and running.
This configuration does not support X.509 and IWA connections. |
Exporting the PingFederate certificate that protects the runtime listener
Steps
-
Log in to your PingFederate administration console.
-
Go to Security → SSL Server Certificates.
-
Go to Select Action → Export.
-
Select Certificate Only and click Next.
-
Click Export.
-
Save the certificate file to a location you can easily reference.
Importing the certificate in PingAccess
Steps
-
Log in to your PingAccess administration console.
-
Go to Security → Certificates.
-
To import a new certificate, click the plus icon ().
-
Under Name, specify PF.
-
Click Choose File and select the certificate from Step 1. Click Add.
-
Drag the imported certificate from the Certificates pane to the Trusted Certificate Groups pane.
Creating a PingAccess site to protect PingFederate
Steps
-
Go to Sites → Add Site.
-
Create a PingAccess site using the following table as a guide.
Parameter Example Value Name
PF
Targets
<load balancer VIP>:443
Secure
Yes
Trusted Certificate Group
PF
All other parameters
Accept the defaults
-
Click Save.
Creating a PingAccess virtual host
Steps
-
Go to Access → Virtual Hosts.
-
Click Add Virtual Host.
-
Enter the host name that you will use to access the PingFederate runtime engines using the following table as a guide.
Parameter Example Value Host
https://<pingfederate_host>
Port
443
Agent Resource Cache TTL (S)
900
All other parameters
Accept the defaults
-
Click Save.
Creating a PingAccess application leveraging the site and the virtual host
Steps
-
Go to Applications → Add Application.
-
Enter the applicable parameters using the following table as a guide.
Parameter Example Value Name
PF
Context Root
/
Virtual Host(s)
https://<pingfederate_host>:443
Application Type
Web
Web Session
None
Web Identity Mapping
None
Destination
Site
Site
PF
Require HTTPS
Yes
Enabled
Yes
All other parameters
Accept the defaults
-
Click Save.
Creating a key pair associated with the new PingFederate host name
Steps
-
Go to Security → Key Pairs.
-
Click Add Key Pair and enter the applicable parameters using the following table as a guide.
Parameter Example Value Alias
PF Master
Common Name
https://<pingfederate_host>
Subject Alternative Name - DNS Name
https://<pingfederate_host>
All other parameters
Accept the defaults
To avoid a "Not Secure" warning in your browser, a signed certificate is required. Use PingFederate to generate a certificate signing request (CSR) and import the CSR response, as described in Manage SSL server certificates. The certificate can be self-signed or signed by a certificate authority.
-
Click Save.
Tying the newly imported key pair to the associated virtual host
Steps
-
Go to Networking → Listeners.
-
In the Engine Key Pairs pane, change
PF Master
to the base URL of the PingAccess virtual host and then click Save. Accept the defaults for all other parameters.
Setting PingAccess’s token provider to match the PingAccess application
Steps
-
Go to System → Token Provider.
-
Create the token provider using the following table as a guide.
The host and port must match the host and port settings in Creating a PingAccess virtual host.
Parameter Example Value Host
https://<pingfederate_host>
Port
443
Audit Level
Yes
All other parameters
Accept the defaults
-
Click Save.
Updating PingFederate’s base URL
Steps
-
Log in to your PingFederate administration console.
-
Go to System → Protocol Settings → Federation Info and change
Base URL
to the base URL and port of the PingAccess virtual host. Click Save.If the base URL is invalid, PingFederate will not be accessible. Make sure the base URL is valid before proceeding.
Verifying that access to PingFederate routes through PingAccess
Steps
-
In a browser window, go to
https://Virtual Host and Port/pf/heartbeat.ping
. This should produce a valid response from PingFederate. -
In a browser window, go to
https://Virtual Host and Port/pa/heartbeat.ping
. This should produce a valid response from PingAccess.