PingFederate

The PingFederate Connector requests authentication from a PingFederate instance using OpenID Connect or SAML. PingFederate returns authentication state and attributes in claims to the Orchestrator.

Configuration

The following values can be provided to the PingFederate connector via the Maverics configuration file.

Auth Type

authType determines the protocol to use to request user authentication and return attributes in claims. The values are oidc or saml. If no value is provided, a default of oidc is used.

OAuth Client ID

oauthClientID is the client ID of the inbound OAuth service provider created in PingFederate.

OAuth Client Secret

oauthClientSecret is the client secret of the inbound OAuth service provider created in PingFederate.

OAuth Login Redirect

oauthLoginRedirect is used to define login redirect callback URLs.

It defines the urls that the OIDC provider will use to redirect the client back to after authentication. The urls must be absolute URLs and match exactly with one of the registered URLs on the provider. If no matches are found during the auth flow, the first URL from the urls list will be used.

The orchestrator will serve the callback handlers on all URLs specified in the urls field under this section.

ℹ️
The urls paths should not conflict with the path of any application resources. The path can be arbitrary (e.g. /maverics-oidc or /oidc-handler).

The format for a single oauthRedirectURL has been deprecated. The new style is as described above.

OIDC Well-known URL

oidcWellKnownURL is the URL that returns OIDC metadata about PingFederate authorization server in order fetch endpoints for OAuth token url, authorize url, and keys url.

Disable PKCE

disablePKCE disable the Proof Key for Code Exchange (PKCE) extension (enabled by default).

SAML Consumer Service URL

samlConsumerServiceURL is the URL that PingFederate will use to POST the SAML response back to. The Maverics SAML ACS handler will be served on this URL. The samlConsumerServiceURL path should not conflict with the path of any application resources. The samlConsumerServiceURL path can be an arbitrary endpoint such as /maverics-saml or /saml-handler.

SAML Entity ID

samlEntityID is the unique application entity ID assigned to the application in URI format.

SAML Metadata URL

samlMetadataURL is the metadata URL for the application configured in PingFederate. The samlMetadataURL setting will accept a file:/// URI if the metadata file is saved locally on the Orchestrator filesystem.

SAML Name ID Format

samlNameIdFormat is the SAML Subject NameID format specified for the app in your PingFederate instance: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

Error Page

errorPage is the page presented to the user if an error occurs.

Cache

cache is an optional field that defines the cache settings for the connector. If left undefined, the connector will use the default in-memory cache.

ℹ️
At the moment cache is only supported for SAML connectors.

Health Check

healthCheck defines an optional health check for the connector. This option is required when using the connector in an IDP-continuity scenario. For more info on how to define the health check, please see the docs.

Examples

OIDC Connector Configuration

connectors:
  - name: pingOIDC
    type: pingfederate
    authType: oidc
    oauthLoginRedirect:
      urls:
        - https://host1.example.com/oidc
        - https://host2.example.com/oidc
    errorPage: http://example.com/my-app/error
    oidcWellKnownURL: https://ping.example.com:8080/.well-known/openid-configuration
    oauthClientID: <pingOAuthClientID>
    oauthClientSecret: <pingOAuthClientSecret>
    disablePKCE: false

SAML Connector Configuration

connectors:
  - name: pingSAML
    type: pingfederate
    authType: saml
    errorPage: http://example.com/my-app/error
    samlConsumerServiceURL: https://example.com/acs
    samlEntityID: example.com
    samlMetadataURL: https://ping.example.com/pf/federation_metadata.ping?PartnerSpId=example.com
    samlNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:entity
    cache: redis

SAML Connector Configuration with SAML metadata file

This sample assumes the SAML metadata was downloaded and saved in /etc/maverics/samlmetadata.xml.

connectors:
  - name: pingSAML
    type: pingfederate
    authType: saml
    errorPage: http://example.com/my-app/error
    samlConsumerServiceURL: https://example.com/acs
    samlEntityID: example.com
    samlMetadataURL: file:///etc/maverics/samlmetadata.xml
    samlNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:entity