Configuring PingFederate for SSO
Before you begin
-
You must have a working PingFederate instance to serve as the OpenID Connect (OIDC) provider.
-
To complete these steps, you must have an HTML form adapter instance. You can find details in Configuring an HTML Form Adapter instance in the PingFederate documentation.
About this task
To create an OIDC client and configure PingFederate as an authorization server, follow these steps.
Steps
-
Configure an access token manager.
-
Go to Applications > OAuth > Access Token Management.
-
Click Create New Instance.
-
Enter or select the access token management instance properties as shown in the following table.
Use the Extend the contract field to add the
admin_role
andsub
attributes. Learn more about Defining the access token attribute contract in the PingFederate documentation.Configure other values as needed or leave the default values in place.
Tab Property Value Type
Instance Name
jwt
Instance ID
jwt
Type
JSON Web Tokens
Instance Configuration
Certificates
Add your signing certificate and give it a key ID.
Token Lifetime
120
Use Centralized Signing Key
False
JWS Algorithm
RSA using SHA-256
Active Signing Certificate Key ID
Enter the key ID you assigned to your signing certificate.
Enable Token Revocation
False
Include Key ID Header Parameter
True
Include X.509 Thumbprint Header Parameter
False
Default JWKS URL Cache Duration
720
Include JWE Key ID Header Parameter
True
Include JWE X.509 Thumbprint Header Parameter
False
Client ID Claim Name
client_id
Scope Claim Name
scope
Space Delimit Scope Values
True
JWT ID Claim Length
22
JWKS Endpoint Path
/oauth/jwks
JWKS Endpoint Cache Duration
720
Publish Key ID X.509 URL
False
Publish Thumbprint X.509 URL
False
Expand Scope Groups
False
Session Validation
Include Session Identifier In Access Token
True
Check Session Validation Status
False
Check Session Revocation Status
False
Update Authentication Session Activity
False
Access Token Attribute Contract
Attribute
admin_role
Attribute
sub
Default Subject Attribute
USER_KEY
Access Control
Restrict Allowed Clients
False
-
Click Save.
-
-
Create an OIDC policy.
-
Go to Applications > OAuth > OpenID Connect Policy Management.
-
Click Add Policy.
-
Enter or select the OIDC policy properties as shown in the following table.
Configure other values as needed or leave the default values in place.
Tab Property Value Manage Policy
Policy ID
jwtOIDCpolicy
Policy Name
jwtOIDCpolicy
Access Token Manager
Select the jwt access token manager you previously created.
ID Token Lifetime
5
Include Session Identifier in ID Token
True
Include User Info in ID Token
True
Include State Hash in ID Token
False
Return ID Token on Refresh Grant
False
Reissue ID Token during Hybrid Flow
False
Attribute Contract
Attribute
sub
Attribute
admin_role
Attribute Scopes
openid
admin_role
Contract Fulfillment
admin_role
Select Access Token in the Source menu and admin_role in the Value menu.
sub
Select Access Token in the Source menu and sub in the Value menu.
-
Click Save.
-
-
Create a policy contract grant mapping.
-
Go to Authentication > OAuth > Policy Contract Grant Mapping.
-
In the Policy Contract menu, select your authentication policy contract and click Add Mapping.
-
On the Attribute Sources & User Lookup tab, click Next.
-
On the Contract Fulfillment tab, for both the User_Key and User_Name, select Authentication Policy Contract for the Source and subject for the Value.
-
Complete any other configuration, as needed, and save the mapping.
-
-
Create an access token mapping between your authentication policy contract and the access token manager you previously created.
If needed, create an authentication policy contract. The
sub
attribute is required.-
Go to Applications > OAuth > Access Token Mappings.
-
On the Access Token Mappings page, in the Context menu, select your authentication policy contract.
-
In the Access Token Manager menu, select the jwt access token manager you previously created.
-
Click Add Mapping.
-
On the Attribute Sources & User Lookup tab, click Next.
-
On the Contract Fulfillment tab, do the following:
-
For the
admin_role
attribute, select Text for the Source and enterfullAdmin
for the Value. -
For the
sub
attribute, select Authentication Policy Contract for the Source and subject for the Value.
-
-
Complete any other configuration, as needed, and save the mapping.
-
-
Create an OIDC client.
-
Go to Applications > OAuth > Clients and click Add Client.
-
Enter or select the client application properties as shown in the following table.
Configure other values as needed or leave the default values in place.
Property Value Client ID
PingDirectoryConsole
Client Name
PingDirectoryConsole
Description
Client for the PingDirectory administrative console
Client Authentication
Select Client Secret.
Client Secret
Select the Change Secret check box and enter a password, or click Generate Secret and note the generated secret value.
Redirect URLs
Enter
https://<hostname>:<port>/console/oidc/cb
, supplying the hostname and port values for your PingDirectory server instance.To obtain the PingDirectory administrative console port value, run
bin/status
.Bypass Authorization Approval
Select Bypass.
Allowed Grant Types
Select Authorization Code.
Default Access Token Manager
Select jwt.
OpenID Connect > ID Token Signing Algorithm
Select RSA using SHA-256.
OpenID Connect > Policy
Select the OIDC policy you previously created.
-
Click Save.
-
-
Create an OAuth set authentication selector.
-
Go to Authentication > Policies > Selectors.
-
On the Selectors page, click Create New Instance.
-
Enter or select the authentication selector properties as shown in the following table.
Tab Property Value Type
Instance Name
PD Console Selector
Instance ID
PDConsoleSelector
Type
OAuth Client Set Authentication Selector
Authentication Selector
Clients
Select the OIDC client you previously created.
-
Complete any other configuration, as needed, and save the selector.
-
-
Create and save an authentication policy by following steps 1-11 of Creating an authentication policy.
In step 9, for the Yes option on the selector, select your HTML form adapter instance from the IdP Adapters menu.
Result
You have completed the PingFederate SSO configuration.