Configuring single sign-on with PingFederate

PingFederate can be configured as the authentication provider for the system.

Note:
  • To configure single sign-on with PingFederate, you must upgrade the system to 8.7.0. or later release.
  • Ensure that the prerequisite tasks are completed on the system before you configure single sign-on. For more information, see the prerequisites in Configuring single sign-on.

Prerequisites

The following prerequisite steps on PingFederate must be completed before you can configure single sign-on on the system:
  1. Install PingFederate. For more information, see Installing PingFederate.
  2. Configure your DataStore where you will create your users and user groups. For example, Configure LDAP/ Active Directory/ Ping Directory.
  3. Once your PingFederate server is up and running, you can launch it using:
    https://<pingfederateserver>:9999/pingfederate/app#/

    Login using Administrator credentials to setup PingFederate server.

  4. Go to SYSTEM > OAuth Settings.
    1. Under Scope Management, add common scope “openid”.
    2. Under Authorization Server Settings, configure Token Endpoint Base URL to https://<pingfederateserver>:9031. Also, update “Password Credential Validator”, “Access Token Manager” once you configure it in Step 6 and Step 11.

      For “Required Scope” mention “openid”.

  5. Configure Data Store that is mentioned in Step 2. Go to SYSTEM > Data Stores. For more information, see Managing datastores.
  6. Configure Password Credential Validator, under SYSTEM > Password Credential Validators. For more information, see Password Credential Validators.
    Note: Select Type as “LDAP Username Password Credential Validator”
  7. Configure IdP Adapters. Go to AUTHENTICATION > IdP Adapters.
    • For type, select "HTML Form IdP Adapter".
  8. Create Policy Contract. Go to AUTHENTICATION > Policies > Policy Contracts.
  9. Create Policy. Go to AUTHENTICATION > Policies > Policies. Select checkbox for IDP AUTHENTICATION POLICIES. Create New Policy by clicking “Add Policy”. This policy determines what happens on login failure as well as login success. Here, under POLICY, select IdP Adapter created in Step 7. For FAIL, “Done” can be selected. And for SUCCESS, select Policy Contract created in Step 8.
  10. Go to AUTHENTICATION > Policy Contract Grant Mapping. Create Mapping of Policy Contract.
  11. Configure fields in Access Token Management. Go to Applications > OAuth > Token Management. Configure settings for type “JSON Web Tokens”.
  12. Add FlashSystem system details into PingFederate now. Go to Applications > OAuth > Clients.
    1. Make a note of value that you provide for CLIENT ID. This value will need to be provided in FlashSystem later for “client id”.
    2. For CLIENT AUTHENTICATION, select “CLIENT SECRET”.
    3. Make a note of value that will get auto generated in CLIENT SECRET. This value will need to be provided in FlashSystem later for “client secret”.
    4. For redirection URLs, enter https://<flashsystem-cluster>/sso.
    5. For ALLOWED GRANT TYPES, select ‘Authorization Code’ and ‘Implicit’.
    6. Select checkbox for “REQUIRE PROOF KEY FOR CODE EXCHANGE”.

    For rest of the fields, default values can be kept.

  13. Configure Access Token Mappings. Go to Applications > OAuth > Access Token Mappings. Add Mapping between policy contract and access token manager created in step before.
  14. Configure fields that will get returned in ID Token. Go to Applications > OAuth > OpenID Connect Policy Management. Create new policy.
    1. Under ACCESS TOKEN MANAGER, select the access token manager that is created in step before.
    2. In the Extended contract, add attributes “group”, “preferred_username”.
    3. In Attribute Scopes, map above attributes under openid scope.
    4. For Attribute Sources & User Lookup, add your DataStore details as Attribute source. Fill details like LDAP Directory Search & LDAP Filter, which will match to your schema.
    5. Under Contract Fulfilment, fill appropriate source for all the attributes.
      1. For sub, select source as Access Token and Value as sub.
      2. For preferred_username, select source as Access Token and Value as sub.
      3. For group, ensure that the PingFederate returns group information in such a way that group names will match the group names created on FlashSystem.
    Note: If you want to create group names only with CN, then in PingFederate, select source as “Expression” and in value give OGNL Expression in such a way that it will return group names in comma separated array to client (for example, FlashSystem GUI).

Using the management GUI

To configure single sign-on with PingFederate, complete these steps:
  1. Select Settings > Security > Single Sign-on.
  2. Enter the OpenID Configuration Endpoint URL of the authentication server as:
    https://<pingfederateserver>:9031/.well-known/openid-configuration
  3. For the OpenID Credentials, add the Client ID and Client Secret that you copied earlier in prerequisites in Step 12
  4. For the User claim, the value to enter depends on how your authentication provider is configured. The User claim must match the name that the authentication service uses to specify the username attribute in the ID Token it sends to the system. Typically this value is preferred_username, but can be customized on the authentication provider.
  5. For the Group claim, the value to enter depends on how your authentication provider is configured. The Group claim must match the name that the authentication service uses to specify the group attribute, either in the ID Token it sends to the system, or in the UserInfo endpoint. Typically this value is groups, but can be customized on the authentication provider.
  6. For Proxy server, consider how the system accesses the authentication provider. For an authentication provider within your network, a proxy server usually isn’t needed. If you connect to the authentication provider through the Internet, check the box and ensure a proxy server is defined on the system.
  7. Click Save. On the confirmation page, click Confirm to enable single sign-on for the system.
Single sign-on is enabled for the system. You can configure user groups to use single sign-on. Click Navigate to launch the User Groups page.

Using the command-line interface

To enable single sign-on, enter the following command:
chauthsinglesignon -oidcconfigurationendpoint https://<pingfederateserver>:9031/.well-known/openid-configuration -clientid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -clientsecret xxxxxxxx -userclaim preferred_username -groupclaim group -enable

The values for the -clientid and the -clientsecret are the Client ID and Client Secret that you copied earlier in prerequisites in Step 12. The values for the -userclaim and the -groupclaim should match the name of the claims configured for the ID Token on the authentication provider.