Configuring OpenID SSO for PingOne

These steps show you how to configure the single sign-on (SSO) functionality using OpenID between ManageEngine ADSelfService Plus and PingOne.

Prerequisites

1. Log into ADSelfService Plus as an administrator.
2. Go to Configuration > Password Sync/Single Sign On and click Add Application. Select PingOne from the list.
Note: You can also use the search bar at the top-left of the page to search for the application.
3. Click IdP Details and select the SSO (OAuth/OpenID Connect) tab.
4. Copy the Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL information.

PingOne (service provider) configuration steps

1. Log into PingOne with administrator credentials.
2. Click the PingOne for Customers icon next to the End User Sandbox environment.



3. Go to Connections > Identity Providers > Add Provider.



4. Select OpenID Connect under Custom. Click Next.



5. Under Create IdP Profile, enter a suitable name and description for ADSelfService Plus. You can also customize the icon and login button here.
6. Click Continue.
7. In the Configure OpenID Connect Connections page, copy the CALLBACK URL as it will be required in a later step.
8. Fill in the required fields with details copied in Step 4 of prerequisites:
1. CLIENT ID: Client ID
2. CLIENT SECRET: Client secret
3. ISSUER: Issuer
4. AUTHORIZATION ENDPOINT: Authorization Endpoint URL
5. TOKEN ENDPOINT: Token Endpoint URL
6. USERINFO ENDPOINT: User Endpoint URL
7. JWKS ENDPOINT: Keys Endpoint URL



9. Click Save and Continue.
10. In the Map attributes page, click Save & Finish.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' PingOne configuration page.



2. Enter the Application Name and Description as per your preferences.
3. Enter the Domain Name of your PingOne account. For example, if your PingOne username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Under the OAuth/OpenID Connect tab, select Enable OAuth/OpenID Connect.
6. Enter the PingOne portal's login URL in the SP Login Initiate URL field.
Note: PingOne requires sign-in to begin from their login page, known as SP-initiated login. Users are first directed to the PingOne login page, specified in the SP Login Initiate URL field, after which PingOne redirects them to ADSelfService Plus (the IdP) for authentication.
7. Enter the Call Back URL copied in Step 7 of configuring PingOne in the SSO Redirect URL field.
8. Using the Scopes drop-down, select openid, which is the scope required for OIDC authentication. You can also specify scopes such as profile or email to include extra user information in the authorization request.
Note: Scopes specify the level of access the access token has. They are typically included in the authorization request. Specify the scopes for which you wish to allow access to your authorization token, using the drop-down.
9. Click Add Application to save the configuration.

The Well-known Configuration URL in the IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you finish configuring the application for SSO in ADSelfService Plus. You can provide this to your service provider if required.