Configuring PingDirectory for SSO
Before you begin
You must have a working PingDirectory server instance that accepts LDAPS connections. This server will host the administrative console being configured for SSO.
About this task
To enable administrators to use PingFederate to sign on to the PingDirectory administrative console using SSO and configure PingDirectory to accept access and ID tokens from PingFederate, follow these steps.
Steps
-
Create administrator accounts in PingDirectory.
-
Make a list of the accounts that should have administrative access.
-
For each account in the previous list, run the following command:
$ bin/dsconfig create-root-dn-user \ --user-name <Username> \ --set first-name:<Given Name> \ --set last-name:<Family Name>
Creating these administrators allows the
All Admin Users
identity mapper to map the PingFederate ID token to a PingDirectory LDAP user. -
-
Create an HTTP external server by running the following command:
$ bin/dsconfig create-external-server \ --server-name PingFederateHttpServer \ --type http \ --set base-url:https://<PingFederate_server>:9031 \ --set hostname-verification-method:allow-all
Creating the HTTP external server enables an HTTP connection to PingFederate.
-
Create an OIDC ID token validator by running the following command:
$ bin/dsconfig create-id-token-validator \ --validator-name PingFedTokenValidator \ --type openid-connect \ --set enabled:true \ --set "identity-mapper:All Admin Users" \ --set issuer-url:https://<PingFederate_server>:9031 \ --set evaluation-order-index:1 \ --set allowed-signing-algorithm:RS256 \ --set openid-connect-provider:PingFederateHttpServer \ --set jwks-endpoint-path:https://<PingFederate_server>:9031/pf/JWKS
Set the
openid-connect-provider
value to the name of the HTTP external server you previously created.Creating the ID token validator enables PingDirectory to validate the OIDC ID token it receives from PingFederate.
-
Create a SASL mechanism handler by running the following command:
$ bin/dsconfig create-sasl-mechanism-handler \ --handler-name PingFedSASLHandler \ --type oauth-bearer \ --set enabled:true \ --set id-token-validator:PingFedTokenValidator
Set the
id-token-validator
value to the name of the OIDC ID token validator you previously created.Creating the SASL mechanism handler enables PingDirectory to accept the access token it receives from PingFederate.
-
Configure the Console web application extension.
-
Run
bin/dsconfig
. -
Enter the number for the Web Application Extension configuration.
This option is only shown for the Advanced objects configuration menu. If needed, enter option o and change the configuration menu level.
-
To show existing web application extensions, enter
3
. -
To edit the Console web application extension, press enter.
-
Configure the Console’s properties as shown in the following table.
Configure other values as needed or leave the default values in place.
Property Value sso-enabled
true
oidc-client-id
Enter the client ID you provided for the PingFederate client application you previously created.
oidc-client-secret
Enter the client secret you provided for the PingFederate client application you previously created.
oidc-issuer-url
Enter the PingFederate OIDC token issuer URL.
This value should match the value you provided for the
issuer-url
argument when creating the OIDC token validator.ldap-server
This value should already be set, but you can confirm it by running
bin/status
on the PingDirectory server hosting the administrative console for SSO connections. -
Enter
f
after you complete your configurations.
Configuring the Console web application extension enables the PingDirectory administrative console to accept ID token credentials for SSO from an OIDC ID token issued by your trusted PingFederate authorization server.
-
-
Restart PingDirectory.
-
Go to the PingDirectory administrative console URL.
The URL takes the form
https://<PingDirectory_server>:<HTTP_port>/console/
. If needed, you can runbin/status
to find this information.Result:
You should be redirected to the PingFederate sign-on form.
Troubleshooting:
If you have previous administrative console sessions, close your browser tabs and retry or use your browser’s privacy mode.
-
Enter the credentials for one of the administrator accounts you created in step 1.
Result:
You should be signed on to the PingDirectory administrative console.