This article describes how to integrate PingFederate with RSA Cloud Access Service (CAS) using My Page SSO (OIDC).
Configure CAS
Perform these steps to configure CAS using My Page SSO (OIDC).
Procedure
- Sign in to RSA Cloud Administration Console.
- Navigate to Applications > Application Catalog and click Create From Template.
- Click Select against OIDC.
- On the Basic Information page, enter a name for the application in the Name field, and then click Next Step.
- Choose your desired Access Policy for this application and click Next Step.
- Under Connection Profile, provide the following details:
- Specify the Connection URL as follows: https://<pingfederate_host>:<pingfederate_port>/pingfederate/app
- pingfederate_host: The hostname that the user will use to access the PingFederate console.
- Pingfederate_port: The port on which the PingFederate console runs. The default value is 9999
- Authorization Server Issuer URL will be auto-populated. This URL is used on the PingFederate side to form the Callback URL, Token Endpoint URL, and Authorize Endpoint URL.
- Specify the Redirect URL as follows: https://<pf_admin_hostname>:<pf_admin_port>/pingfederate/app?service=finishsso
- Provide a Client ID and make a note of its value, as it will be used in the PingFederate configuration.
- Select Client Authentication Method, the PingFederate console supports only three methods: 'CLIENT_SECRET_BASIC', 'CLIENT_ SECRET_POST', 'PRIVATE_KEY_JWT'.
- Provide a Client Secret or generate one.
Provide the scope as 'openid' (Scopes should be added in advance. See the Notes section.) - Provide the claims as 'sub' and 'admin_role' (Claims should be added beforehand. See Notes section.)
- sub is the email of the user.
- admin_role is the role for the user.
- Specify the Connection URL as follows: https://<pingfederate_host>:<pingfederate_port>/pingfederate/app
- Click Next Step.
- On the Portal Display page, configure the portal display and other settings.
- Click Save and Finish.
- Click Publish Changes.
Notes
To add scopes:
- Navigate to Access > OIDC Settings > Scopes.
- Add the openid as a scope and click Save Settings.
- Add sub and admin_role as claims and click Save Settings.
Configure PingFederate
Perform these steps to configure PingFederate.
Procedure
You need to enable OIDC-based authentication for the administrative console by setting a property in the 'run.properties' file ('<pf_install>/pingfederate/bin/run.properties') and configuring other properties in the 'oidc.properties' file ('<pf_install/pingfederate/bin/oidc.properties').
- Edit the 'run.properties' file and set the 'pf.console.authentication' property to 'OIDC'.
- Edit the 'oidc.properties' file and modify the applicable properties accordingly.
|
Property |
Value |
Note |
|
Value of Client ID defined in RSA CAS config. |
| |
|
client.authn.method |
The Client Authentication Method previously selected in CAS config. |
PingFederate console only supports three methods: CLIENT_SECRET_BASIC, CLIENT_ SECRET_POST, PRIVATE_KEY_JWT |
|
client.secret |
Value of Client Secret defined in CAS config. |
This property is required when the client authentication is either CLIENT_SECRET_BASIC or CLIENT_ SECRET_POST. |
|
authorization.endpoint |
Authorization Server Issuer URL obtained from CAS + /auth |
Make sure /auth is appended to the Authorization Server Issuer URL. |
|
token.endpoint |
Authorization Server Issuer URL obtained from CAS + /token |
Make sure /token is appended to the Authorization Server Issuer URL. |
|
Issuer |
Authorization Server Issuer URL obtained from CAS. |
|
|
Scopes |
Openid |
The value provided is matched with the scopes added in CAS. |
|
Sub |
This value is reflected in CAS claims. | |
|
admin_role |
This value is reflected in CAS claims. | |
|
role.admin |
Admin |
|
|
role.expressionAdmin |
Admin |
|
- Restart the PingFederate service.
The configuration is complete.
