PingFederate 12.0 - My Page SSO Configuration Using OIDC - RSA Ready Implementation Guide
2 years ago
This article describes how to integrate PingFederate 12.0 with RSA Cloud Authentication Service using My Page SSO (OIDC).

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO (OIDC).
Procedure
  1. Sign in to RSA Cloud Administration Console.
  2. Navigate to Applications My Applications > Add an Application, and click Create From Template.
  3. Click Select against OIDC.
  4. On the Basic Information page, enter a name for the application in the Name field.
  5. Click Next Step.
  6. Choose the required option on the Authentication page and click Next Step.image.png
  7. Under Connection Profile, provide the following details:
    1. Specify the Connection URL as follows: https://<pingfederate_host>:<pingfederate_port>/pingfederate/app
      • pingfederate_host: The host name that the user will use to access the PingFederate console.
      • Pingfederate_port: The port on which the PingFederate console runs. The default value is 9999
    2. Authorization Server Issuer URL will be auto populated. This URL is used on the PingFederate side to form Callback URL, Token Endpoint URL and Authorize Endpoint URL.
    3. Specify the Redirect URL as follows: https://<pf_admin_hostname>:<pf_admin_port>/pingfederate/app?service=finishsso 
    4. Provide a Client ID and take note of its value as it will be used in PingFederate configuration.
    5. Select Client Authentication Method, the PingFederate console only supports three methods: 'CLIENT_SECRET_BASIC', 'CLIENT_ SECRET_POST', 'PRIVATE_KEY_JWT'.
    6. Provide a Client Secret or generate one.
    7. Provide the scope as 'openid' (Scopes should be added beforehand. See Notes section.) 
    8. Provide the claims as 'sub' and 'admin_role' (Claims should be added beforehand. See Notes section.)
      • sub is the email of the user.
      • admin_role is the role for the user.
image.png
  1. Click Next Step.
  2. On the Portal Display page, configure the portal display and other settings. Click Save and Finish
  3. Click Publish Changes.

Notes

  1. To add scopes, go to Access OIDC Settings.image.png
  2. Click the Scopes tab and add the following scopes.image.png
  3. To add claims, click the Claims tab and add the following claims.image.png
 

Configure PingFederate 12.0

Perform these steps to configure PingFederate 12.0
Procedure
You need to enable OIDC-based authentication for the administrative console by setting a property in the 'run.properties' file ('<pf_install>/pingfederate/bin/run.properties') and configuring other properties in the 'oidc.properties' file ('<pf_install/pingfederate/bin/oidc.properties'). 
  1. Edit the 'run.properties' file and set the 'pf.console.authentication' property to 'OIDC'.
  2. Edit the 'oidc.properties' file and modify the applicable properties accordingly.
PropertyValueNote
client.idValue of Client ID defined in RSA Cloud Authentication Service config. 
client.authn.methodThe Client Authentication Method previously selected in RSA Cloud Authentication Service config.PingFederate console only supports three methods: CLIENT_SECRET_BASIC, CLIENT_ SECRET_POST, PRIVATE_KEY_JWT
client.secretValue of Client Secret defined in RSA Cloud Authentication Service config.This property is required when the client authentication is either CLIENT_SECRET_BASIC or CLIENT_ SECRET_POST.
authorization.endpointAuthorization Server Issuer URL obtained from RSA Cloud Authentication Service + /authMake sure /auth is appended to the Authorization Server Issuer URL
token.endpointAuthorization Server Issuer URL obtained from RSA Cloud Authentication Service + /tokenMake sure /token is appended to the Authorization Server Issuer URL.
IssuerAuthorization Server Issuer URL obtained from RSA Cloud Authentication Service. 
ScopesOpenidThe value provided is matched with the scopes added in RSA Cloud Authentication Service.
username.attribute.nameSubThis value is reflected in RSA Cloud Authentication Service claims.
role.attribute.nameadmin_roleThis value is reflected in RSA Cloud Authentication Service claims.
role.adminAdmin 
role.expressionAdminAdmin 
  1. Restart the PingFederate service after completing the previous steps.
The configuration is complete.
Return to PingFederate 12.0 - RSA Ready Implementation Guide

Related Articles

Trending Articles

Don't see what you're looking for?