Configuring single sign-on with PingOne

PingOne can be configured as the authentication provider for the system.

Note: Ensure that the prerequisite tasks are completed on the system before you configure single sign-on. For more information, see the prerequisites in Configuring single sign-on.

Prerequisites

The following prerequisite steps on PingOne must be completed before you can configure single sign-on on the system:
  1. Create a subscription for PingOne. A free trial subscription is also available. For more information, see Ping Single Sign-On. During subscription creation, you specify a tenant that is used to create a URL to access the PingOne dashboard.
  2. Access the PingOne administrator dashboard by entering the following URL in a web browser (this is usually received in your welcome email). The sign-on URL is specific to your admin console and includes your environment ID. For example, the URL might look like this:
    http://console.pingone.asia/index.html?env=cde34209-9366-45aa-9e5f-a19d3ba3eada
  3. In the PingOne administrator console, from the menu select Connections > Applications.
  4. Select Application + to add a new application.
    Note: Each system must be added as a separate application.
    The following table shows the required fields and actions for the Register an application page in the PingOne interface.
    Table 1. Register an application page
    Field Action
    Application Name Enter a name to identify the system on PingOne. If you are adding multiple systems, enter a unique name.
    Application Type Select OIDC Web App.
  5. Click Save. After the system is saved as a new app registration, the application reloads with the Overview page selected.
  6. To find the OpenID Configuration Endpoints URL for the tenant, on the Configuration page expand URLs and copy the OIDC Discovery Endpoint URL. This value must be specified as the OpenID Configuration Endpoint URL on the Single sign-on page in the management GUI.
  7. On the Configuration page, expand General and copy the Client ID. This value must be specified as the Client ID on the Single sign-on page in the management GUI.
  8. On the Configuration page, expand General and copy the Client Secret. This value must be specified as the Client ID on the Single sign-on page in the management GUI.
    Note: The system does not support client secret values that begin with a hyphen character. Use the reveal button to inspect the Client Secret automatically generated by PingOne. If the Client Secret begins with a hyphen character, click the Generate New Secret button.
  9. On the Configuration page, click the Edit button. For Response Type, ensure that Code is selected. For Grant Type, ensure that Authorization Code is selected. For Redirect URLs, multiple redirect URIs can be specified for the management GUI. For management GUI access, the redirect URI consists of the management IP address or hostname followed by /sso. For example, https://hostname.com/sso. For Token EndPoint Authentication Method, select Client Secret Post. Click the Save button.
  10. On the Resources page, click Edit on the Allowed Scopes and ensure that openid and profile are selected. Click the Save button.
  11. Close the Application window to return to the Applications page. Click the toggle to enable user access to this application.
  12. In the PingOne administrator console, from the menu select Connections > Resources and then select OpenID Connect.
  13. Ensure the authentication provider is configured to send back the group claim to the system. The group claim identifies which groups the authenticating user belongs to. Some authentication providers do not send the group claim by default, so this typically requires some configuration on the authentication provider. On the Attributes tab, click the Edit button. Click + Add to add a new attribute for the group claim. Ensure that the Attributes field contains group and the PingOne Mappings field contains a value of Group Names. Configure the ID Token and UserInfo values according to your organization’s requirements; this determines how the group attribute is sent back to the application. Click the Save button.
  14. If you require the group claim to be sent back to the application in the ID Token, open the Scopes page and Edit the profile scope. Click inside the Mapped Attributes area and type group to add the group attribute. Click the Save button.
  15. On the Attributes page, ensure that the existing preferred_username attribute has a PingOne Mappings value of Username and that ID Token is selected.
  16. In the PingOne administrator console, from the menu select Connections > Applications.
  17. Select your application. On the Attribute Mappings page, click Edit on Custom Attributes. Click + Add to add a new attribute. For the Attributes field, enter groups. For the PingOneMappings field, select GroupNames. Click Save.

Using the management GUI

To configure single sign-on with PingOne, complete these steps:
  1. Select Settings > Security > Single Sign-on.
  2. Enter the OpenID Configuration Endpoint URL of the authentication server that you obtained from the application details earlier. For PingOne, the format is:
    https://auth.pingone.region/environment-id/as/.well-known/openid-configuration
    Where region is the region that the PingOne tenant is hosted in, and environment-id is the Environment ID specific to this application. This can be found by selecting from the menu Connections > Applications > Click your application > Configuration > OIDC Discovery Endpoint.
  3. For the OpenID Credentials, add the Client ID and Client Secret that you copied on from the Configuration page in the PingOne interface.
  4. For the User claim, the value to enter depends on how your authentication provider is configured. The User claim must match the name that the authentication service uses to specify the username attribute in the ID Token it sends to the system. Typically this value is preferred_username, but can be customized on the authentication provider.
  5. For the Group claim, the value to enter depends on how your authentication provider is configured. The Group claim must match the name that the authentication service uses to specify the group attribute, either in the ID Token it sends to the system, or in the UserInfo endpoint. Typically this value is groups, but can be customized on the authentication provider.
  6. For Proxy server, consider how the system accesses the authentication provider. For an authentication provider within your network, a proxy server usually isn’t needed. If you connect to the authentication provider through the Internet, check the box and ensure a proxy server is defined on the system.
  7. Click Save. On the confirmation page, click Confirm to enable single sign-on for the system.
Single sign-on is enabled for the system. You can configure user groups to use single sign-on. Click Navigate to launch the User Groups page.

Using the command-line interface

To enable single sign-on, enter the following command:
chauthsinglesignon -oidcconfigurationendpoint https://auth.pingone.region/environment-id/as/.well-known/openid-configuration -clientid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -clientsecret xxxxxxxx -userclaim preferred_username -groupclaim groups -enable

In the example, region is the tenant region that is associated with your subscription, and environment-id is the Environment ID specific to this application. The values for the -clientid and the -clientsecret are the Client ID and Client Secret that are automatically generated when you created your system as an application in PingOne, and can be obtained from the Configuration page of your application in the PingOne interface. The values for the -userclaim and the -groupclaim should match the name of the claims configured for the ID Token on the authentication provider.