Configuring OpenID SSO for PingOne
These steps show you how to configure the single sign-on (SSO) functionality using OpenID Connect between ManageEngine ADSelfService Plus and PingOne.
- Do not terminate the session before the configuration is complete in both the identity provider and the service provider.
- Please enable HTTPS is the product to ensure proper functioning of single sign-on.
- Login to ADSelfService Plus as Admin.
- Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select PingOne from the list. You can also use the search bar, in the top-left, to search for the application.
Note: You can also use the search bar, in the top-left, to search for the application.
- Click on IdP Details and select the SSO (OAuth/OpenID Connect) tab.
- Copy Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, User Endpoint URL, and Keys Endpoint URL.
PingOne (service provider) configuration steps
- Login to PingOne as administrator.
- Click the PingOne for Customers' icon next to the End User Sandbox environment.
- Go to Connections → Identity Providers → Add Provider.
- Select OpenID Connect under Custom. Click Next.
- Under Create IdP Profile, enter a suitable name and description for ADSelfService Plus. You can also customize the icon and login button here.
- Click Continue.
- In the Configure OpenID Connect Connections page, copy the CALLBACK URL as it will be required in a later step.
- Fill in the required fields with details copied in step 4 of prerequisites:
- CLIENT ID: Client ID
- CLIENT SECRET: Client secret
- ISSUER: Issuer
- AUTHORIZATION ENDPOINT: Authorization Endpoint URL
- TOKEN ENDPOINT: Token Endpoint URL
- USERINFO ENDPOINT: User Endpoint URL
- JWKS URI: Keys Endpoint URL
- Click Save and Continue.
- In the Map attributes page, click Save & Finish.
ADSelfService Plus (identity provider) configuration steps
- Switch back to ADSelfService Plus' PingOne configuration page.
- Enter the Application Name and Description as per your preference.
- Enter the Domain Name of your PingOne account. For example, if your PingOne username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
- Select policies from the Assign policies dropdown, to decide for whom this setting will be applicable.
- Check the box next to Enable OAuth/OpenID Connect.
- Enter the Callback URL you saved in step 7 of PingOne configuration in Login Redirect URL field.
- Scopes specify the level of access the access token has. The scopes are generally provided in the authorization request so, you don't have to specify them here. If the scopes are not mentioned by your service provider, you must add them in this field.
- Click Add Application to save these settings.
- The Well-known Configuration URL in IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes and client details. This is enabled only after you save the application in ADSelfService Plus. You can provide this to your service provider if required.