PingFederate
The PingFederate Connector requests authentication from a PingFederate instance using OpenID Connect or SAML. PingFederate returns authentication state and attributes in claims to the Orchestrator.
Configuration
The following values can be provided to the PingFederate connector via the Maverics configuration file.
Auth Type
authType
determines the protocol to use to request user authentication and return
attributes in claims. The values are oidc
or saml
. If no value is provided, a
default of oidc
is used.
OAuth Client ID
oauthClientID
is the client ID of the inbound OAuth service provider created in
PingFederate.
OAuth Client Secret
oauthClientSecret
is the client secret of the inbound OAuth service provider
created in PingFederate.
OAuth Login Redirect
oauthLoginRedirect
is used to define login redirect callback URLs.
It defines the urls
that the OIDC provider will use to redirect the client back
to after authentication. The urls
must be absolute URLs and match exactly with
one of the registered URLs on the provider.
If no matches are found during the auth flow, the first URL from the urls
list will be used.
The orchestrator will serve the callback handlers on all URLs specified in the urls
field under this section.
urls
paths should not conflict with the path of any application
resources. The path can be arbitrary (e.g. /maverics-oidc
or /oidc-handler
).The format for a single oauthRedirectURL
has been deprecated. The new style is as described above.
OIDC Well-known URL
oidcWellKnownURL
is the URL that returns OIDC metadata about PingFederate
authorization server in order fetch endpoints for OAuth token url, authorize url,
and keys url.
Disable PKCE
disablePKCE
disable the Proof Key for Code Exchange (PKCE) extension (enabled by default).
SAML Consumer Service URL
samlConsumerServiceURL
is the URL that PingFederate will use to POST the SAML
response back to. The Maverics SAML ACS handler will be served on this URL. The
samlConsumerServiceURL
path should not conflict with the path of any application
resources. The samlConsumerServiceURL
path can be an arbitrary endpoint such as
/maverics-saml
or /saml-handler
.
SAML Entity ID
samlEntityID
is the unique application entity ID assigned to the application in URI
format.
SAML Metadata URL
samlMetadataURL
is the metadata URL for the application configured in PingFederate.
The samlMetadataURL
setting will accept a file:/// URI if the metadata file is
saved locally on the Orchestrator filesystem.
SAML Name ID Format
samlNameIdFormat
is the SAML Subject NameID format specified for the app in your
PingFederate instance: urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Error Page
errorPage
is the page presented to the user if an error occurs.
Cache
cache
is an optional field that defines the cache settings for the connector.
If left undefined, the connector will use the default in-memory cache.
Health Check
healthCheck
defines an optional health check for the connector. This option is
required when using the connector in an IDP-continuity scenario. For more info on how
to define the health check, please see the docs.
Examples
OIDC Connector Configuration
connectors:
- name: pingOIDC
type: pingfederate
authType: oidc
oauthLoginRedirect:
urls:
- https://host1.example.com/oidc
- https://host2.example.com/oidc
errorPage: http://example.com/my-app/error
oidcWellKnownURL: https://ping.example.com:8080/.well-known/openid-configuration
oauthClientID: <pingOAuthClientID>
oauthClientSecret: <pingOAuthClientSecret>
disablePKCE: false
SAML Connector Configuration
connectors:
- name: pingSAML
type: pingfederate
authType: saml
errorPage: http://example.com/my-app/error
samlConsumerServiceURL: https://example.com/acs
samlEntityID: example.com
samlMetadataURL: https://ping.example.com/pf/federation_metadata.ping?PartnerSpId=example.com
samlNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:entity
cache: redis
SAML Connector Configuration with SAML metadata file
This sample assumes the SAML metadata was downloaded and saved in /etc/maverics/samlmetadata.xml
.
connectors:
- name: pingSAML
type: pingfederate
authType: saml
errorPage: http://example.com/my-app/error
samlConsumerServiceURL: https://example.com/acs
samlEntityID: example.com
samlMetadataURL: file:///etc/maverics/samlmetadata.xml
samlNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:entity