This article describes how to integrate PingFederate with RSA Cloud Access Service (CAS) using Relying Party (OIDC).
Configure CAS
Perform these steps to configure CAS as a Relying Party to PingFederate using OIDC.
Procedure
- Sign in to RSA Cloud Administration Console.
- Click Authentication Clients > Relying Parties.
- On the My Relying Parties page, click Add a Relying Party.
- On the Relying Party Catalog page, click Add for Generic OIDC.
- On the Basic Information page, enter the name for the Service Provider in the Name field.
- Click Next Step.
- On the Authentication page, choose RSA manages all authentication.
- In the Primary Authentication Method list, select your desired login method as either Password or SecurID.
- In the Access Policy list, select a policy that was previously configured.
- Click Next Step.
- Under Connection Profile, provide the following details:
- Authorization Server Issuer URL will be auto-populated. This URL is used on the PingFederate side to form the Callback URL, Token Endpoint URL, and Authorize Endpoint URL.
- Specify the Redirect URL as follows: https://<pf_admin_hostname>:<pf_admin_port>/pingfederate/app?service=finishsso
- Provide a Client ID and note its value, as it will be used in the PingFederate configuration.
- Select Client Authentication Method, the PingFederate console supports only three methods: 'CLIENT_SECRET_BASIC', 'CLIENT_ SECRET_POST', 'PRIVATE_KEY_JWT'.
- Provide a Client Secret or generate one.
- Provide the scope as 'openid' (Scopes should be added in advance. See the Notes section.)
- Provide the claims as 'sub' and 'admin_role' (Claims should be added in advance. See the Notes section.)
- sub is the email of the user.
- admin_role is the user's role.
- Click Save and Finish.
- Click Publish Changes.
Notes
To add scopes:
- Navigate to Access > OIDC Settings > Scopes.
- Add the openid as a scope and click Save Settings.
- Add sub and admin_role as claims and click Save Settings.
Configure PingFederate
Perform these steps to configure PingFederate.
Procedure
You need to enable OIDC-based authentication for the administrative console by setting a property in the 'run.properties' file ('<pf_install>/pingfederate/bin/run.properties') and configuring other properties in the 'oidc.properties' file ('<pf_install/pingfederate/bin/oidc.properties').
- Edit the 'run.properties' file and set the 'pf.console.authentication' property to 'OIDC'.
- Edit the 'oidc.properties' file and modify the applicable properties accordingly.
|
Property |
Value |
Note |
|
Value of Client ID defined in RSA CAS config. |
| |
|
client.authn.method |
The Client Authentication Method previously selected in CAS config. |
PingFederate console only supports three methods: CLIENT_SECRET_BASIC, CLIENT_ SECRET_POST, PRIVATE_KEY_JWT |
|
client.secret |
Value of Client Secret defined in CAS config. |
This property is required when the client authentication is either CLIENT_SECRET_BASIC or CLIENT_ SECRET_POST. |
|
authorization.endpoint |
Authorization Server Issuer URL obtained from CAS + /auth |
Make sure /auth is appended to the Authorization Server Issuer URL. |
|
token.endpoint |
Authorization Server Issuer URL obtained from CAS + /token |
Make sure /token is appended to the Authorization Server Issuer URL. |
|
Issuer |
Authorization Server Issuer URL obtained from CAS. |
|
|
Scopes |
Openid |
The value provided is matched with the scopes added in CAS. |
|
Sub |
This value is reflected in CAS claims. | |
|
admin_role |
This value is reflected in CAS claims. | |
|
role.admin |
Admin |
|
|
role.expressionAdmin |
Admin |
|
- Restart the PingFederate service.
The configuration is complete.
