To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO), perform the steps on this procedure.
Prerequisites
Ensure you have a PingOne account to sign in.
Note: Currently,
SASE Orchestrator supports PingOne as the Identity Partner (IDP); however, any PingIdentity product supporting OIDC can be easily configured.
On the My Applications tab, select OIDC and then click Add Application.
The
Add OIDC Application pop-up window appears.
Provide basic details such as name, short description, and category for the application and click Next.
Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant types and click Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in
SASE Orchestrator.
Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO URL and Redirect URL and click Next.
In the
SASE Orchestrator application, at the bottom of the
Configure Authentication screen, you can find the redirect URL link. Ideally, the
SASE Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The Start SSO URL will be in this format: https://<Orchestrator URL>/<domain name>/login/doEnterpriseSsoLogin.
Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add additional user profile attributes.
In the Attribute Name text box, enter group_membership and then select the Required checkbox, and select Next.
Note: The
group_membership attribute is required to retrieve roles from PingOne.
Under CONNECT SCOPES, select the scopes that can be requested for your SASE Orchestrator application during authentication and click Next.
Under Attribute Mapping, map your identity repository attributes to the claims available to your SASE Orchestrator application.
Note: The minimum required mappings for the integration to work are email, given_name, family_name, phone_number, sub, and group_membership (mapped to memberOf).
Under Group Access, select all user groups that should have access to your SASE Orchestrator application and click Done.
The application will be added to your account and will be available in the
My Application screen.
Results
You have completed setting up an OIDC-based application in PingOne for SSO.