PingFederate 12.0 - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as Relying Party to PingFederate 12.0 using OIDC.Procedure
- Sign in to RSA Cloud Administration Console.
- Click Authentication Clients > Relying Parties.
- On the My Relying Parties page, click Add a Relying Party.
- On the Relying Party Catalog page, click Add for Generic OIDC.
- On the Basic Information page, enter the name for the Service Provider in the Name field.
- Click Next Step.
- On the Authentication page, choose SecurID Access manages all authentication.
- In the Primary Authentication Method list, select your desired login method as either Password or SecurID.
- In the Access Policy list, select a policy that was previously configured.
- Click Next Step.
- Under Connection Profile, provide the following details:
- Authorization Server Issuer URL will be auto populated. This URL is used on the PingFederate side to form Callback URL, Token Endpoint URL and Authorize Endpoint URL.
- Specify the Redirect URL as follows: https://<pf_admin_hostname>:<pf_admin_port>/pingfederate/app?service=finishsso
- Provide a Client ID and take note of its value as it will be used in PingFederate configuration.
- Select Client Authentication Method, the PingFederate console only supports three methods: 'CLIENT_SECRET_BASIC', 'CLIENT_ SECRET_POST', 'PRIVATE_KEY_JWT'.
- Provide a Client Secret or generate one.
- Provide the scope as 'openid' (Scopes should be added beforehand. See Notes section.)
- Provide the claims as 'sub' and 'admin_role' (Claims should be added beforehand. See Notes section.)
- sub is the email of the user.
- admin_role is the role for the user.
- Click Save and Finish.
- Click Publish Changes.
Notes
- To add scopes, go to Access > OIDC Settings.
- Click the Scopes tab and add the following scopes.
- To add claims, click the Claims tab and add the following claims.
Configure PingFederate 12.0
Perform these steps to configure PingFederate 12.0Procedure
You need to enable OIDC-based authentication for the administrative console by setting a property in the 'run.properties' file ('<pf_install>/pingfederate/bin/run.properties') and configuring other properties in the 'oidc.properties' file ('<pf_install/pingfederate/bin/oidc.properties').
- Edit the 'run.properties' file and set the 'pf.console.authentication' property to 'OIDC'.
- Edit the 'oidc.properties' file and modify the applicable properties accordingly.
| Property | Value | Note |
| client.id | Value of Client ID defined in RSA Cloud Authentication Service config. | |
| client.authn.method | The Client Authentication Method previously selected in RSA Cloud Authentication Service config. | PingFederate console only supports three methods: CLIENT_SECRET_BASIC, CLIENT_ SECRET_POST, PRIVATE_KEY_JWT |
| client.secret | Value of Client Secret defined in RSA Cloud Authentication Service config. | This property is required when the client authentication is either CLIENT_SECRET_BASIC or CLIENT_ SECRET_POST. |
| authorization.endpoint | Authorization Server Issuer URL obtained from RSA Cloud Authentication Service + /auth | Make sure /auth is appended to the Authorization Server Issuer URL |
| token.endpoint | Authorization Server Issuer URL obtained from RSA Cloud Authentication Service + /token | Make sure /token is appended to the Authorization Server Issuer URL. |
| Issuer | Authorization Server Issuer URL obtained from RSA Cloud Authentication Service. | |
| Scopes | Openid | The value provided is matched with the scopes added in RSA Cloud Authentication Service. |
| username.attribute.name | Sub | This value is reflected in RSA Cloud Authentication Service claims. |
| role.attribute.name | admin_role | This value is reflected in RSA Cloud Authentication Service claims. |
| role.admin | Admin | |
| role.expressionAdmin | Admin |
- Restart the PingFederate service after completing the previous steps.
Return to PingFederate 12.0 - RSA Ready Implementation Guide
