PingDirectory

Configuring PingDirectory for SSO

Before you begin

You must have a working PingDirectory server instance that accepts LDAPS connections. This server will host the administrative console being configured for SSO.

About this task

To enable administrators to use PingFederate to sign on to the PingDirectory administrative console using SSO and configure PingDirectory to accept access and ID tokens from PingFederate, follow these steps.

Steps

  1. Create administrator accounts in PingDirectory.

    1. Make a list of the accounts that should have administrative access.

    2. For each account in the previous list, run the following command:

      $ bin/dsconfig create-root-dn-user \
        --user-name <Username>  \
        --set first-name:<Given Name>  \
        --set last-name:<Family Name>

    Creating these administrators allows the All Admin Users identity mapper to map the PingFederate ID token to a PingDirectory LDAP user.

  2. Create an HTTP external server by running the following command:

    $ bin/dsconfig create-external-server \
      --server-name PingFederateHttpServer \
      --type http \
      --set base-url:https://<PingFederate_server>:9031 \
      --set hostname-verification-method:allow-all

    Creating the HTTP external server enables an HTTP connection to PingFederate.

  3. Create an OIDC ID token validator by running the following command:

    $ bin/dsconfig create-id-token-validator \
      --validator-name PingFedTokenValidator \
      --type openid-connect \
      --set enabled:true \
      --set "identity-mapper:All Admin Users" \
      --set issuer-url:https://<PingFederate_server>:9031 \
      --set evaluation-order-index:1 \
      --set allowed-signing-algorithm:RS256 \
      --set openid-connect-provider:PingFederateHttpServer \
      --set jwks-endpoint-path:https://<PingFederate_server>:9031/pf/JWKS

    Set the openid-connect-provider value to the name of the HTTP external server you previously created.

    Creating the ID token validator enables PingDirectory to validate the OIDC ID token it receives from PingFederate.

  4. Create a SASL mechanism handler by running the following command:

    $ bin/dsconfig create-sasl-mechanism-handler \
      --handler-name PingFedSASLHandler \
      --type oauth-bearer \
      --set enabled:true \
      --set id-token-validator:PingFedTokenValidator

    Set the id-token-validator value to the name of the OIDC ID token validator you previously created.

    Creating the SASL mechanism handler enables PingDirectory to accept the access token it receives from PingFederate.

  5. Configure the Console web application extension.

    1. Run bin/dsconfig.

    2. Enter the number for the Web Application Extension configuration.

      This option is only shown for the Advanced objects configuration menu. If needed, enter option o and change the configuration menu level.

    3. To show existing web application extensions, enter 3.

    4. To edit the Console web application extension, press enter.

    5. Configure the Console’s properties as shown in the following table.

      Configure other values as needed or leave the default values in place.

      Property Value

      sso-enabled

      true

      oidc-client-id

      Enter the client ID you provided for the PingFederate client application you previously created.

      oidc-client-secret

      Enter the client secret you provided for the PingFederate client application you previously created.

      oidc-issuer-url

      Enter the PingFederate OIDC token issuer URL.

      This value should match the value you provided for the issuer-url argument when creating the OIDC token validator.

      ldap-server

      This value should already be set, but you can confirm it by running bin/status on the PingDirectory server hosting the administrative console for SSO connections.

    6. Enter f after you complete your configurations.

    Configuring the Console web application extension enables the PingDirectory administrative console to accept ID token credentials for SSO from an OIDC ID token issued by your trusted PingFederate authorization server.

  6. Restart PingDirectory.

  7. Go to the PingDirectory administrative console URL.

    The URL takes the form https://<PingDirectory_server>:<HTTP_port>/console/. If needed, you can run bin/status to find this information.

    Result:

    You should be redirected to the PingFederate sign-on form.

    Troubleshooting:

    If you have previous administrative console sessions, close your browser tabs and retry or use your browser’s privacy mode.

  8. Enter the credentials for one of the administrator accounts you created in step 1.

    Result:

    You should be signed on to the PingDirectory administrative console.

    Screen capture of the administrative console