This articles provides steps for configuring Ping Identity SSO in Cloud Control Center.
Quick Links
Step 1 - Add Cloud Control Center as an Application in Ping
Step 2 - Configure Supported User Roles in Ping
Step 3 - Configure Ping Identity SSO in Cloud Control Center
Step 1 - Add Cloud Control Center as an Application in Ping
First, login to your Ping Identity console. Go to Connections -> Applications and click the add application icon. ( + ) Give your application a name such as "Elisity CCC" and optionally add a description. Select OIDC Web App as your Application Type and click save.
After saving, go back to the Applications Panel and Click on your newly added Elisity CCC application, and select the configuration panel. We need to copy and save three credentials that we will use later. Locate and copy the following into your notepad:
URL: Issuer and General: Client ID and Client Secret
Next, scroll back up to the top of the configuration panel and click the edit icon.
Make sure that your application configuration matches below.
Response Type
- Code: Selected - Token: Selected - ID Token: Selected
Grant Type
- Authorization Token: Selected - Implicit: Selected - Refresh Token: Selected
Redirect URIs
- https://tenantname.elisity.io/api/v1/iam/login/oauth2/code/CR_ClientID
- !!! REPLACE tenantname.elisity.io with your Cloud Control Center URL or IP
- !!! REPLACE ClientID with the Client ID of the app that we copied in an earlier step
Token Endpoint Authentication Method
- Select: Client Secret Basic
Initiate Login URI
(Only required if you wish to initiate login from the PingIdentity Application Portal)
- https://teneantname.elisity.io/api/v1/iam/usermanagement/extidp/login
- !!! REPLACE tenantname.elisity.io with your Cloud Control Center URL or IP.
Step 2 - Configure Supported User Roles in Ping
Go to Identities -> Groups and add user groups to define the roles you want to use for signing in to Cloud Control Center. Our two standard groups are the following:
TenantAdmin – This is role has full read/write access
TenantUser – This is a read only role that is only able to view data
Note: Be sure the attribute name match above - not case sensitive
You can choose to add users to these groups now, or later on.
Next, go to Connections -> Applications and select the Cloud Control Center Application Registration we created earlier.
Go to attribute mappings, and edit a custom attribute using the pencil icon.
Add the following Attribute Mapping:
-
-
Attribute: UserRole - PingOneMapping: Group Names
-
Next, go to the "Access" tab in the same window, and click the pencil icon.
Apply the following settings:
- Must have admin access: Unchecked
- Select: User is a member of any applied group
- Select: appropriate groups - TenantAdmin, TenantUser, etc
Cloud Control Center will pick up the UserRole value and assign it when user signs in, delegating privileges in Cloud Control Center based on the UserRole value.
Step 3 - Configure Ping Identity SSO in Cloud Control Center
Login to Cloud Control Center as an Administrator, and navigate to Administration -> Settings -> Security -> SSO Configuration. Select Ping, and enter the Client ID, Client Secret, and the Issuer ID that we saved in previous steps.
You should now be able to login to Cloud Control Center using SSO with Ping for users who have the appropriate attributes applied. Simply click "Login with SSO" and input user your credentials from Ping.
