Configuring Ping

Integrating Ping with PlainID allows organizations to combine Ping’s identity federation with PlainID's powerful PBAC capabilities. This enhances security by ensuring that Authorization decisions are made based on dynamic, context-aware Policies, streamlining user Authentication, and Authorization processes. The integration also simplifies management by centralizing Policy enforcement, reducing the need for hardcoded rules in Applications.

Before continuing, ensure that you have access to PingFederate. For more information on how to install Ping, refer to their Installation documentation.

Configuring a Ping Data Source

Integrating Ping with the PlainID Authorizer is based on setting up the PlainID Authorizer as an external data source in Ping and defining attributes extracted from the PlainID Authorizer response to be used as claims in token generated by Ping.

Refer to your Ping Administrator and official documentation to learn how to set up a data source and configure it manually in the Ping Admin UI or through APIs.

This setup will include:

• Adding and setting a new Data Source
• Configuring the OAuth Client
• Configuring Access Token Management and Mappings

Note: The steps below provide high-level guidance only. Consult your Ping Administrator and official documentation for more information.

Adding a Data Source

Refer to Ping's Data Source Documentation for more details.

To add and set up a data source:

1. Configure the data source to use a REST API for the PlainID Authorizer, providing the Authorizer's URL.
2. Add attributes to the data source that correspond to the Claim Keys you plan on configuring and mapping in the PlainID Token Enrichment Service for your Ping integration:
   • In the JSON Response Attribute Type Path, use the format /{claimName}, where claimName matches a key in the IDP's Token Enrichment JSON response (e.g., /plainid).
3. Set the following data source fields:
   • Authentication Method: Basic Authentication
   • HTTP Method: POST
   • Username: Your PlainID Scope Client ID
   • Password: Your PlainID Scope Client Secret
   • Test Connection URL (optional, under advanced fields): http://<BASE_URL>/idp-hook/1.0/ping/test
4. Click Next to save the data source.

OAuth Client

Refer to Pings OAuth documentation for more details on how to set up an OAuth Client.
To configure an OAuth Client Application:

1. Add a new OAuth Client Application.
2. Enter the Name, Client ID, and generate a Secret in the relevant fields.
3. Select the Client Credentials grant type.
   • The Client ID and Secret are used for Client authentication when configuring the PlainID Token Enrichment Service for the Ping application.

Access Token Management & Mappings

Refer to Ping's Access Token Management article for detailed information.

To Create a New Access Token Management Instance:

1. Enter a Setup Name and ID.
2. Select JSON Web Tokens as the token type.
3. Set the JWS Algorithm to RSA SHA-256.
4. Use a Centralized Signing Key.
5. Click Next. The Access Token Attribute Contract tab will open.
6. Under Application OAuth Client, set JWT0 as the default Access Token Manager.
7. In the Extend the Contract section, add claim keys for Token Enrichment (used in the IDP Token Enrichment Service configuration under apps.<app>.claims), and mark it as Multi-Value.
8. Click Add and proceed through the tabs until the Summary tab opens.
9. Click Save.

To Add Mappings to Your Access Token Manager:

1. Add an Attribute Source, selecting the data source you configured earlier.
2. Under the Configure Data Source Filters tab, set up your filters based on Ping's Data Source Filter article.
3. Set the Resource Path to the IDP Token Enrichment Service Ping Endpoint: /idp-hook/1.0/ping/lookup.
4. In the Body field, define the payload for the request to the PlainID IDP Token Enrichment Service.
5. Enter the required parameters, ObjectID and client_id, in the JSON request body, using your specific values:

   {
     "ObjectID": "${ds.ldap.uid}",
     "client_id": "${context.ClientId}"
   }
   

6. Optionally, use values from your data store with this syntax: ${ds.attr-source-id.attribute}.
7. Set up Contract Fulfillments, selecting the previously defined data source.
8. For Value, configure the Claim from the PlainID Authorizer response.
9. Click Next, then Save.

After completing the setup in Ping you should also define a Ping Application and its configurations in the PlainID Token Enrichment Service configuration. Refer to the IDP Webhook documentation for more details.

Additional Information

For more technical details on how to connect this vendor to your IDP Webhook, contact PlainID Support.