PingDirectory

Configuring PingFederate for SSO

Before you begin

  • You must have a working PingFederate instance to serve as the OpenID Connect (OIDC) provider.

  • To complete these steps, you must have an HTML form adapter instance. You can find details in Configuring an HTML Form Adapter instance in the PingFederate documentation.

About this task

To create an OIDC client and configure PingFederate as an authorization server, follow these steps.

Steps

  1. Configure an access token manager.

    1. Go to Applications > OAuth > Access Token Management.

    2. Click Create New Instance.

    3. Enter or select the access token management instance properties as shown in the following table.

      Use the Extend the contract field to add the admin_role and sub attributes. Learn more about Defining the access token attribute contract in the PingFederate documentation.

      Configure other values as needed or leave the default values in place.

      Tab Property Value

      Type

      Instance Name

      jwt

      Instance ID

      jwt

      Type

      JSON Web Tokens

      Instance Configuration

      Certificates

      Add your signing certificate and give it a key ID.

      Token Lifetime

      120

      Use Centralized Signing Key

      False

      JWS Algorithm

      RSA using SHA-256

      Active Signing Certificate Key ID

      Enter the key ID you assigned to your signing certificate.

      Enable Token Revocation

      False

      Include Key ID Header Parameter

      True

      Include X.509 Thumbprint Header Parameter

      False

      Default JWKS URL Cache Duration

      720

      Include JWE Key ID Header Parameter

      True

      Include JWE X.509 Thumbprint Header Parameter

      False

      Client ID Claim Name

      client_id

      Scope Claim Name

      scope

      Space Delimit Scope Values

      True

      JWT ID Claim Length

      22

      JWKS Endpoint Path

      /oauth/jwks

      JWKS Endpoint Cache Duration

      720

      Publish Key ID X.509 URL

      False

      Publish Thumbprint X.509 URL

      False

      Expand Scope Groups

      False

      Session Validation

      Include Session Identifier In Access Token

      True

      Check Session Validation Status

      False

      Check Session Revocation Status

      False

      Update Authentication Session Activity

      False

      Access Token Attribute Contract

      Attribute

      admin_role

      Attribute

      sub

      Default Subject Attribute

      USER_KEY

      Access Control

      Restrict Allowed Clients

      False

    4. Click Save.

  2. Create an OIDC policy.

    1. Go to Applications > OAuth > OpenID Connect Policy Management.

    2. Click Add Policy.

    3. Enter or select the OIDC policy properties as shown in the following table.

      Configure other values as needed or leave the default values in place.

      Tab Property Value

      Manage Policy

      Policy ID

      jwtOIDCpolicy

      Policy Name

      jwtOIDCpolicy

      Access Token Manager

      Select the jwt access token manager you previously created.

      ID Token Lifetime

      5

      Include Session Identifier in ID Token

      True

      Include User Info in ID Token

      True

      Include State Hash in ID Token

      False

      Return ID Token on Refresh Grant

      False

      Reissue ID Token during Hybrid Flow

      False

      Attribute Contract

      Attribute

      sub

      Attribute

      admin_role

      Attribute Scopes

      openid

      admin_role

      Contract Fulfillment

      admin_role

      Select Access Token in the Source menu and admin_role in the Value menu.

      sub

      Select Access Token in the Source menu and sub in the Value menu.

    4. Click Save.

  3. Create a policy contract grant mapping.

    1. Go to Authentication > OAuth > Policy Contract Grant Mapping.

    2. In the Policy Contract menu, select your authentication policy contract and click Add Mapping.

    3. On the Attribute Sources & User Lookup tab, click Next.

    4. On the Contract Fulfillment tab, for both the User_Key and User_Name, select Authentication Policy Contract for the Source and subject for the Value.

    5. Complete any other configuration, as needed, and save the mapping.

  4. Create an access token mapping between your authentication policy contract and the access token manager you previously created.

    If needed, create an authentication policy contract. The sub attribute is required.

    1. Go to Applications > OAuth > Access Token Mappings.

    2. On the Access Token Mappings page, in the Context menu, select your authentication policy contract.

    3. In the Access Token Manager menu, select the jwt access token manager you previously created.

    4. Click Add Mapping.

    5. On the Attribute Sources & User Lookup tab, click Next.

    6. On the Contract Fulfillment tab, do the following:

      • For the admin_role attribute, select Text for the Source and enter fullAdmin for the Value.

      • For the sub attribute, select Authentication Policy Contract for the Source and subject for the Value.

    7. Complete any other configuration, as needed, and save the mapping.

  5. Create an OIDC client.

    1. Go to Applications > OAuth > Clients and click Add Client.

    2. Enter or select the client application properties as shown in the following table.

      Configure other values as needed or leave the default values in place.

      Property Value

      Client ID

      PingDirectoryConsole

      Client Name

      PingDirectoryConsole

      Description

      Client for the PingDirectory administrative console

      Client Authentication

      Select Client Secret.

      Client Secret

      Select the Change Secret check box and enter a password, or click Generate Secret and note the generated secret value.

      Redirect URLs

      Enter https://<hostname>:<port>/console/oidc/cb, supplying the hostname and port values for your PingDirectory server instance.

      To obtain the PingDirectory administrative console port value, run bin/status.

      Bypass Authorization Approval

      Select Bypass.

      Allowed Grant Types

      Select Authorization Code.

      Default Access Token Manager

      Select jwt.

      OpenID Connect > ID Token Signing Algorithm

      Select RSA using SHA-256.

      OpenID Connect > Policy

      Select the OIDC policy you previously created.

    3. Click Save.

  6. Create an OAuth set authentication selector.

    1. Go to Authentication > Policies > Selectors.

    2. On the Selectors page, click Create New Instance.

    3. Enter or select the authentication selector properties as shown in the following table.

      Tab Property Value

      Type

      Instance Name

      PD Console Selector

      Instance ID

      PDConsoleSelector

      Type

      OAuth Client Set Authentication Selector

      Authentication Selector

      Clients

      Select the OIDC client you previously created.

    4. Complete any other configuration, as needed, and save the selector.

  7. Create and save an authentication policy by following steps 1-11 of Creating an authentication policy.

    In step 9, for the Yes option on the selector, select your HTML form adapter instance from the IdP Adapters menu.

Result

You have completed the PingFederate SSO configuration.