Configure authentication - SSO with PingFederate
PingIntelligence for APIs Dashboard provides two methods for user authentication: native or single sign-on (SSO).
You can configure the authentication method by configuring pi.webgui.server.authentication-mode
property in the <pi_install_dir>/pingidentity/webgui/config/webgui.properties
file. The default authentication method is native
.
SSO authentication should be used only for production deployments. Use native authentication for Proof of Concept deployments. |
SSO configuration for PingIntelligence for APIs Dashboard
SSO configuration for the PingIntelligence Dashboard involves configuring both Dashboard and PingFederate. The following is a summary of configuration steps:
-
Verify the prerequisites.
-
Configure an OAuth client in PingFederate.
-
Configure the
webgui.properties
file. -
Configure the
sso.properties
file in the Dashboard. -
Import the PingFederate SSL server certificate.
-
Obfuscate
sso.properties
. -
Start the Dashboard.
Verify the prerequisites
Ensure the following prerequisites are complete before SSO configuration:
-
PingFederate is installed and configured to support OpenID Connect (OIDC) SSO for any client. The current supported PingFederate versions are 9.3 or 10.1.
-
PingIntelligence for APIs Dashboard is installed.
Configure OAuth client in PingFederate
Creating and configuring an OAuth client in PingFederate is an essential step for PingIntelligence Dashboard’s SSO authentication. If the OAuth client is not correctly configured in PingFederate, authentication failure will occur. To configure an OAuth client, complete the steps in Configuring an OAuth client in PingFederate for PingIntelligence Dashboard SSO.
Configure webgui.properties
file
Edit the <pi_install_dir>/pingidentity/webgui/config/webgui.properties
to set the value of pi.webgui.server.authentication-mode
to sso
to configure authentication using SSO.
# Authentication mode # valid values: native, sso pi.webgui.server.authentication-mode=sso
Configure SSO properties file in Dashboard
Configure the <pi_install_dir>/pingidentity/webgui/sso.properties
file to complete the PingIntelligence Dashboard’s SSO authentication. For more information, see Configuring Dashboard sso.properties for PingFederate.
Import the PingFederate SSL server certificate
After the PingIntelligence Dashboard configuration for SSO is complete, import PingFederate’s SSL server certificate to the PingIntelligence Dashboard’s truststore <pi_install_dir>/pingidentity/webgui/config/webgui.jks
.
Complete the following steps to import SSL certificate:
-
Copy PingFederate’s SSL server certificate to
<pi_install_dir>/pingidentity/webgui/config/ directory
. -
Execute the following command:
# cd <pi_install_dir>/pingidentity/webgui/config/ keytool -import -trustcacerts -file <pf_certificate.crt> -alias pi-sso -keystore webgui.jks
The default password to import |
Obfuscate sso.properties
You can obfuscate keys added in SSO properties using the following commands:
# cd <pi_install_dir>/pingidentity/webgui # ./bin/cli.sh obfuscate_keys
Start PingIntelligence for APIs Dashboard
Start the PingIntelligence for APIs Dashboard. For more information, see Start and stop Dashboard.
When the PingIntelligence Dashboard is started successfully, access it using https://<pi_install_host>:8030
. The Dashboard will start SSO Authentication, and a new session will get created for the logged-in users.
Every PingIntelligence Dashboard SSO authentication event is attached with a |
If SSO authentication fails for any reason, PingIntelligence Dashboard shows the following error message.
You can filter |