Creating the common configuration for PingFederate includes creating the Access Token Manager, the objectID Attribute, the OpenID Connect Policy, and the OAuth Client Application.

Prerequisites

Complete the following task:

Log in to the PingFederate Admin console with an Administrator Account.

Procedure

  1. Create the Access Token Manager.
    1. Go to Applications > OAuth > Access Token Management.
    2. Click Create New Instance.
    3. On the Type tab:
      • Instance Name: Enter an instance name. For example, vIDB Access Token Manager.
      • Instance ID: Enter the instance ID. For example, vIDB.
      • Type: Select JSON Web Tokens.
      • Parent Instance: Leave the default, None.
    4. On the Instance Configuration tab:
      • Use Centralized Signing Key: Select the checkbox.

        Leaving this checkbox unselected causes PingFederate to expect "Active Signing Certificate Key ID" to be configured.

      • JWS Algorithm: Select an algorithm. For example, RSA using SHA-256.
      • At the bottom of the screen, click Show Advanced Fields.
        • JWT ID Claim Length: Add a number greater than zero (0). For example, 24. If you do not enter a value, the JTI claim is omitted in the access token.
    5. Click Next.
    6. On the Access Token Attribute Contract tab:
      • In the Extend the Contract text box, add the following claims to be generated in the Ping access token. Click Add after entering each claim.
        • aud
        • iss
        • exp
        • iat
        • userName
      • Subject Attribute Name: Select one claim to be used for auditing purposes. For example, iss.
    7. Click Next twice to skip the Resource URIs and Access Control tabs.
    8. Click Save.
  2. Add the objectGUID Attribute.
    1. Go to System > Data Stores > Your Data Store > LDAP Configuration.
    2. On the LDAP Configuration tab, click Advanced at the bottom.
    3. On the LDAP Binary Attributes tab, in the Binary Attribute name field, use objectGUID and click Add.
    4. Click Save.
  3. Create the OpenID Connect Policy.
    1. Go to Applications > OAuth > OpenID Connect Policy Management.
    2. Click Add Policy.
    3. On the Manage Policy tab:
      • Policy ID: Enter a policy ID. For example, OIDC.
      • Name: Enter a policy name. For example, OIDC Policy.
      • Access Token Manager: Select the access token manager that you previously created. For example, vIDB Access Token Manager.
    4. Click Next.
    5. On the Attribute Contract tab:
      • Click Delete to remove all the attributes except sub. Otherwise, you must map the attributes to a value in the Contract Fulfillment tab later.
    6. Click Next, then click Next again to skip the Attributes Scope tab.
    7. On the Attribute Sources & User Lookup tab, click Add Attribute Source.
      After entering the information on each tab that follows, click Next to advance.
      • Data Store:
        • Attribute Source ID: Enter an attribute source ID. For example, vIDBLDAP.
        • Attribute Source Description: Enter a description. For example: vIDBLDAP.
        • Active Data Store: Select your Active Directory or OpenLDAP domain name from the drop-down.
      • LDAP Directory Search:
        • Base DN: Enter your base DN to find your users and groups.
        • Search Scope: Leave the default, Subtree.
        • Attributes to return from search: Select <Show All Attributes> and select objectGUID.

          Click Add Attribute.

      • LDAP Binary Attribute Encoding Types:
        • ObjectGUID: Select Hex for the Attribute Encoding Type.
      • LDAP Filter:
        • Filter: Enter a filter. For example, userPrincipalName=${userName}.
    8. On the Summary page, click Done.
    9. Click Next to advance, and on the Contract Fulfillment tab, map the Attribute Contract for the ID token:
      Attribute Contract Source Value
      sub Select the Attribute Source ID previously created. In this documentation, the example used is vIDBLDAP. objectGUID
    10. Click Next, then click Next again to skip the Insurance Criteria tab.
    11. Click Save.
  4. Create the OAuth Client Application.
    1. Go to Applications > OAuth > Clients.
    2. Click Add Client.
    3. On the Clients | Client page:
      • Client ID: Enter the client ID. For example, vIDB.
        Note: Copy and save the client ID for use later when creating the vCenter Server identity provider for PingFederate.
      • Name: Enter a name. For example, vIDB.
      • Client Authentication: Select Client Secret.
        • Client Secret: You can input your own client secret or generate a secret. After you leave this page, you cannot view the secret again. You only have the option to change the secret.
          Note: Copy and save the secret for use later when creating the vCenter Server identity provider.
      • Redirection URIs: Enter the redirection URI(s) in the form: https://vCenter_Server_FQDN:port/federation/t/CUSTOMER/auth/response/oauth2.
        • Click Add.
      • Allowed Grant Types: Check Authorization Code, Refresh Token, Client Credentials, and Resource Owner Password Credentials.
      • Default Access Token Manager: Select the access token manager you previously created. For example, the one used in this documentation is vIDB Access Token Manager.
      • OpenID Connect: For Policy, select the one you previously created. For example, the one used in this documentation is OIDC.
    4. Click Save.

What to do next

Continue with Create the Password Grant Flow Configuration.