Add a custom app in the Ping identity platform

To set up authentication and group synchronization with the PingID provider, you must create an OAuth2 Worker application in your PingID environment:

Overview of steps

Make sure to perform the following actions in the correct order, otherwise you might disable your existing authentication to your SAFEQ Cloud tenant. These steps are: 

1. Set up the authentication provider in SAFEQ Cloud using a PingID Worker application.
2. Perform group synchronization for your PingID authentication provider.
3. Create Access Control records for the imported groups. Make sure that you will retain an administrative role in SAFEQ Cloud when you log in using your PingID identity. You must create access control records with the Administrator role for the group where you are a member.

OAuth2 Configuration

Authentication to PingID is done via the PingID OAuth Worker application. 

Group synchronization with PingID is done via OAuth2 authentication of a user with administrative privileges for the Worker application.

Creating the Worker application

1. Log into your PingID environment. Go to Applications and click + to create a new application.
   

   

2. Enter the Application Name , an optional Description , and select Worker as the Application Type.
   

   

    
3. Click Save .

Configuring the Worker application

1. Once saved, select the Configuration tab, and click the pencil icon to edit it.
2. In Response Type, select Code.
3. In Grant Type, select:
   1. Authorization Code. Also, in the PKCE Enforcement field, select OPTIONAL.
   2. Refresh Token.
4. Disable (uncheck) the Client Credentials grant type.
   

   

5. In Redirect URIs, enter the following:
   
   1. http://127.0.0.1:7311/oidc/callback
      
      

      This redirect address is essential for the SAFEQ Cloud Client to work correctly with PingID authentication.

   2. https://<your SAFEQ Cloud domain>:8443/callback/ping. In environments with reverse proxy infrastructure, do not specify the port number in the URL, meaning the default HTTPS port 443 will be used.
      

      

      
      
6. In Token Endpoint Authentication Method, select None.
7. Click Save.

Selecting Resources

1. Once saved, click the Resources tab, then click the pencil icon to edit it. Enable the following scopes:
   1. email (OpenID Connect)
   2. profile (OpenID Connect)
      

      

2. Click Save.

Mapping the attributes

1. Once saved, click the Attribute Mappings tab, then click the pencil icon to edit. You should see one Attribute Mapping — sub = User ID.
2. Change this mapping to sub = Username.
   

   

3. Click Save.

Removing roles

1. Once saved, select the Roles tab. If there are any Roles listed, click the Trash icon to delete them, and Save once all are removed. If none are listed, proceed to the next step. 
   

   

   
   
   

   For security reasons, it is essential to remove all roles from this application. This will restrict the ability to use the application without an OAuth2 token. OAuth2 token is more secure because it is not stored anywhere and acquired only in interactive mode.

Enabling the Worker application

1. Click the Overview  tab and click the slider in the top-right corner to enable your application. This will automatically save it. 
   

   

2. Leave this page open as you will need access to some of the application IDs displayed there.
   

Configuring the PingID Authentication provider in SAFEQ Cloud Web UI

Now that the configuration on the PingID side is complete, proceed to register and configure the Authentication Provider in SAFEQ Cloud.

1. Log into SAFEQ Cloud Web UI and go to Authentication.
2. Click Add to add a new provider.
3. In Type, select Client (OAuth2).
   

   

4. In Name, enter the Authentication provider name.
5. In Domains, list all of the domains present in your PingID environment that will need to authenticate to SAFEQ Cloud. For example, to allow user john.doe@acme.com to log in via this Authentication provider, enter the acme.com domain here.
6. In Identity provider, select Ping OAuth 2.0.
7. In Custom application ID, paste the Client ID from your PingID application Overview tab.
8. In Ping environment ID, paste the Environment ID from your PingID application Overview tab.
9. Ping region is the region in which your PingID environment is registered. You can determine it from your PingID Console URL which is in the format of  https://console.pingone.[region].  Alternatively, you can find it in any of the URLs listed under your PingID OAuth application Configuration tab such as https://auth.pingone.[region]/[client]/as/authorize
10. In Callback domain for custom application, enter the SAFEQ Cloud tenant address you used as the Redirect URI in your PingID OAuth application configuration.
11. Click Save.

For more details on the available options for OAuth2 authentication, see Client authentication.

Synchronizing groups

After creating and saving your new Authentication provider, you can perform group synchronization, which will allow you to manage Access Control of your SAFEQ Cloud tenant via PingID group membership.

To synchronize groups perform the following steps:

1. In SAFEQ Cloud Web UI Authentication section, click the Edit icon for your PingID provider.
2. Click SYNC GROUPS.
   

   

3. You will be redirected to the PingID login page.
4. Log in with an account that has permission to read groups and follow the on-screen instructions. When the form closes, group synchronization is complete. For more details, see Client authentication, section Sync groups.
5. You will now be able to search for PingID groups on the  Access Control page. For more details, see Access Control.