PingIntelligence

Configure authentication - SSO with PingFederate

PingIntelligence for APIs Dashboard provides two methods for user authentication: native or single sign-on (SSO).

You can configure the authentication method by configuring pi.webgui.server.authentication-mode property in the <pi_install_dir>/pingidentity/webgui/config/webgui.properties file. The default authentication method is native.

SSO authentication should be used only for production deployments. Use native authentication for Proof of Concept deployments.

SSO configuration for PingIntelligence for APIs Dashboard

SSO configuration for the PingIntelligence Dashboard involves configuring both Dashboard and PingFederate. The following is a summary of configuration steps:

  1. Verify the prerequisites.

  2. Configure an OAuth client in PingFederate.

  3. Configure the webgui.properties file.

  4. Configure the sso.properties file in the Dashboard.

  5. Import the PingFederate SSL server certificate.

  6. Obfuscate sso.properties.

  7. Start the Dashboard.

Verify the prerequisites

Ensure the following prerequisites are complete before SSO configuration:

  • PingFederate is installed and configured to support OpenID Connect (OIDC) SSO for any client. The current supported PingFederate versions are 9.3 or 10.1.

  • PingIntelligence for APIs Dashboard is installed.

Configure OAuth client in PingFederate

Creating and configuring an OAuth client in PingFederate is an essential step for PingIntelligence Dashboard’s SSO authentication. If the OAuth client is not correctly configured in PingFederate, authentication failure will occur. To configure an OAuth client, complete the steps in Configuring an OAuth client in PingFederate for PingIntelligence Dashboard SSO.

Configure webgui.properties file

Edit the <pi_install_dir>/pingidentity/webgui/config/webgui.properties to set the value of pi.webgui.server.authentication-mode to sso to configure authentication using SSO.

# Authentication mode
# valid values: native, sso
 pi.webgui.server.authentication-mode=sso

Configure SSO properties file in Dashboard

Configure the <pi_install_dir>/pingidentity/webgui/sso.properties file to complete the PingIntelligence Dashboard’s SSO authentication. For more information, see Configuring Dashboard sso.properties for PingFederate.

Import the PingFederate SSL server certificate

After the PingIntelligence Dashboard configuration for SSO is complete, import PingFederate’s SSL server certificate to the PingIntelligence Dashboard’s truststore <pi_install_dir>/pingidentity/webgui/config/webgui.jks.

Complete the following steps to import SSL certificate:

  1. Copy PingFederate’s SSL server certificate to <pi_install_dir>/pingidentity/webgui/config/ directory.

  2. Execute the following command:

    # cd <pi_install_dir>/pingidentity/webgui/config/
    keytool -import -trustcacerts -file <pf_certificate.crt> -alias pi-sso -keystore webgui.jks

The default password to import pf_certificate.crt to webgui.jks is changeme.

Obfuscate sso.properties

You can obfuscate keys added in SSO properties using the following commands:

# cd <pi_install_dir>/pingidentity/webgui
# ./bin/cli.sh obfuscate_keys

Start PingIntelligence for APIs Dashboard

Start the PingIntelligence for APIs Dashboard. For more information, see Start and stop Dashboard.

When the PingIntelligence Dashboard is started successfully, access it using https://<pi_install_host>:8030. The Dashboard will start SSO Authentication, and a new session will get created for the logged-in users.

Every PingIntelligence Dashboard SSO authentication event is attached with a unique ID, which is logged in <pi_install_dir>/pingidentity/webgui/logs/admin/sso.log.

If SSO authentication fails for any reason, PingIntelligence Dashboard shows the following error message.

Screen capture of the PingIntelligence Dashboard error message for SSO failure.

You can filter sso-event-ref = <unique ID> in the <pi_install_dir>/pingidentity/webgui/logs/admin/sso.log file to find the reason for SSO failure.