To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO), perform the steps on this procedure.

Prerequisites

Ensure you have a PingOne account to sign in.
Note: Currently, SASE Orchestrator supports PingOne as the Identity Partner (IDP); however, any PingIdentity product supporting OIDC can be easily configured.

Procedure

  1. Log in to your PingOne account as an Admin user.
    The PingOne home screen appears.
  2. To create a new application:
    1. In the upper navigation bar, click Applications.
    2. On the My Applications tab, select OIDC and then click Add Application.
      The Add OIDC Application pop-up window appears.
    3. Provide basic details such as name, short description, and category for the application and click Next.
    4. Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant types and click Next.
      Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in SASE Orchestrator.
    5. Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO URL and Redirect URL and click Next.
      In the SASE Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the SASE Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The Start SSO URL will be in this format: https://<Orchestrator URL>/<domain name>/login/doEnterpriseSsoLogin.
    6. Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add additional user profile attributes.
    7. In the Attribute Name text box, enter group_membership and then select the Required checkbox, and select Next.
      Note: The group_membership attribute is required to retrieve roles from PingOne.
    8. Under CONNECT SCOPES, select the scopes that can be requested for your SASE Orchestrator application during authentication and click Next.
    9. Under Attribute Mapping, map your identity repository attributes to the claims available to your SASE Orchestrator application.
      Note: The minimum required mappings for the integration to work are email, given_name, family_name, phone_number, sub, and group_membership (mapped to memberOf).
    10. Under Group Access, select all user groups that should have access to your SASE Orchestrator application and click Done.
      The application will be added to your account and will be available in the My Application screen.

Results

You have completed setting up an OIDC-based application in PingOne for SSO.

What to do next

Configure Single Sign On in SASE Orchestrator.