Configuring OIDC Single Sign-on

Set up PingFederate

Configurate PingFederate

  1. Sign in to PingFederate console at https://service-ip:service-port, where service-ip and service-port refer to the IP address and port of the machine hosting PingFederate server.
  2. In homepage, navigate to SYSTEM tab and select Server from the left sidebar.
  3. Select Protocol Settings, enter Base URL, SAML 2.0 ENTITY ID, and SAML 1.X ISSUER/AUDIENCE, then click Save to complete.

Set up simple Password Credential Validators

  1. In homepage, navigate to SYSTEM tab and click on Password Credential Validators.
  1. Click Create New Instance.
  2. Enter INSTANCE NAME and INSTANCE ID, select Simple Username Password Credential Validator for TYPE, and click Next.
  1. In Create Credential Validator Instance page, click Add a new row to 'Users'.
  1. Enter Username, Password, and Confirm Password, then click Update and Next.
  1. Review all selected options in Summary tab, and click Save.

Set up a simple IdP Adapter

  1. In homepage, navigate to AUTHENTICATION tab and click on IdP Adapters.
  1. Click Create New Instance.
  2. Enter INSTANCE NAME, INSTANCE ID, and select HTML Form IdP Adapter for TYPE . Click Next.
  1. Click Add a new row to 'Credential Validators'.
  1. Select the Password Credential Validator created in the previous stage, that is "Simple MDCore PCV", then click Update and Next.
  1. Click Next on Extended Contract tab.
  2. In Adapter Attributes tab, toggle username attribute under Pseudonym column, and click Next.
  1. Click Next on Adapter Contract Mapping tab.
  2. Review all selected options in Summary tab and click Save to complete.

Set up Signing, Decryption Keys and Certificates

  1. In homepage, navigate to SECURITY tab and select Signing & Decryption Keys & Certificates.
  1. Click Create New.
  2. Enter COMMON NAME, ORGANIZATION, and COUNTRY, along with any other necessary information, then click Next.
  1. Review all selected options in Summary tab and click Save to complete.

Set up Authentication Policies

  1. In homepage, navigate to AUTHENTICATION tab, and click Policies.
  1. Click Add Policy in the next page.
  2. Enter NAME, select the IdP Adapter from the previous stage for POLICY. Click Done for FAIL and SUCCESS options. Once finished, click Done.
  1. Ensure the new policy is enabled, then click Save to complete.

Set up Policy Contracts

  1. In homepage, navigate to AUTHENTICATION tab. Select Policies icon on the left sidebar, then click Policy Contracts.
  1. Press Create New Contract on the next page.
  2. In Contract Info step, enter CONTRACT NAME and click Next.
  1. In Contract Attributes step, navigate to Extend the Contract, fill in claims that will be returned to MetaDefender Core, clickAdd to add the claim, and then Next.
  1. Review all selected options in Summary tab, then click Save to complete.

Set up Policy Sessions

  1. In homepage, navigate to AUTHENTICATION tab and click Sessions.
  1. In Sessions menu, find OVERRIDES subtab.
  2. Select "MD Core Adapter" for Authentication Source, tick Enable Sessions, and click Add to include the authentication source.
  1. Click Save to complete.

Set up Policy Contract Grant Mapping

  1. In homepage, navigate to AUTHENTICATION and click Policy Contract Grant Mapping.
  1. Select the Policy contract in previous stage, then click Add Mapping.
  1. In Attribute Sources & User Lookup step, click Next.
  2. In Contract Fulfillment step, select the appropriate mapping for Source and Value columns, then click Next.
  1. Click Next in Issuance Criteria step.
  2. Review all selected options in Summary tab, then click Save to complete.

Set up IdP Adapter Grant Mapping

  1. In homepage, navigate to AUTHENTICATION, select OAUTH in the left side bar, and click IdP Adapter Grant Mapping.
  2. Under SOURCE ADAPTER INSTANCE, select the IdP Adapter that was set up in the previous stage and click Add Mapping.
  1. Click Next in Attribute Sources & User Lookup step.
  2. In IdP Adapter Mapping step, select the appropriate mapping for Source, Value, and click Next.
  1. Click Next in Issuance Criteria step.
  2. Review all selected options in Summary tab, then click Save to complete.

Set up Resource Owner Credentials Grant Mapping

  1. In homepage, navigate to AUTHENTICATION, select OAUTH in the left side bar, and click Resource Owner Credentials Grant Mapping.
  2. Under SOURCE PASSWORD VALIDATOR INSTANCE, select the Password Credential Validator that was set up in the previous stage, which is "Simple MDCore PCV", and click Add Mapping.
  1. Click Next in Attribute Sources & User Lookup step.
  2. In Contract Fulfillment step, choose the appropriate mapping for Source and Value, and then click Next.
  1. Click Next in Issuance Criteria step.
  2. Review all selected options in Summary tab, then click Save to complete.

Set up Access Token Management

  1. In homepage, navigate to APPLICATIONS, and click Access Token Management.
  1. Click Create New Instance.
  2. Enter INSTANCE NAME, INSTANCE ID, and select JSON Web Tokens for TYPE. Click Next to continue.
  1. In Instance Configuration step, click Add a new row to 'Symmetric Keys' under Symmetric Keys.
  1. Enter Key ID, Key, and select the correct Encoding. Click Update.
  1. Back to Instance Configuration step, click Add a new row to 'Certificates' under Certificates.
  1. Enter Key ID and choose Certificate from the previous stage. Then click Update.
  1. Back in Instance Configuration step, navigate to JWS ALGORITHM and select the appropriate algorithm. Proceed to ACTIVE SYMMETRIC KEY ID and ACTIVE SIGNING CERTIFICATE KEY ID, then select the key and certificate that were set up in steps 4 and 5 of this stage. Click Next when finished.
  1. In Session Validation step, check all options and click Next.
  1. In Access Token Attribute Contract step, navigate to Extend the Contract and add the same claims that have already been set up in the stages: Policy Contract Grant Mapping, IdP Adapter Grant Mapping, and Resource Owner Credentials Grant Mapping. Click Next.
  1. Click Next in Resource URIs and Access Control steps.
  2. Review all selected options in Summary tab, then click Save to complete.

Set up Access Token Mappings

  1. In homepage, navigate to APPLICATIONS and click on Access Token Mappings.
  1. In Access Token Mappings page, select the Authentication Policy Contract from the previous step to map to ACCESS TOKEN MANAGER. Click Add Mapping.
  1. Click Next in Attribute Sources & User Lookup step.
  2. In Contract Fulfillment step, select the appropriate Source and Value, then click Next.
  1. Click Next in Issuance Criteria step.
  2. Review all selected options in Summary tab, then click Save.
  3. Return to Access Token Mappings page and repeat the steps 2 to 6 for Validator and IdP Adapter.

Set up Scope Management

  1. In homepage, navigate to SYSTEM and click OAuth Scopes.
  1. Under Scope Management, at Common Scopes tab, click Add Common Scope.
  1. Due to MetaDefender Core requires profile scope, fill the scope name and click Save.
  1. Repeat the above step to add username scope.
  1. Click Save to complete.

Setup Authorization Server Settings

  1. In homepage, navigate to SYSTEM and click Authorization Server Settings.
  1. Navigate to OAuth Administrative Web Services Settings and select the password credential validator that was set up in previous stage for PASSWORD CREDENTIAL VALIDATOR.
  2. Navigate to Persistent Grant Management API.
  3. Select the access token manager and scope that were set up in the previous stage for ACCESS TOKEN MANAGER and REQUIRED SCOPE, respectively.
  1. Click Save to complete.

Set up OpenID Connect Policy Management

  1. In homepage, navigate to APPLICATIONS and click OpenID Connect Policy Management.
  1. Click Add Policy in the next page.
  2. In Manage Policy step, enter POLICY ID, NAME and select the manager that was set up in previous stage for ACCESS TOKEN MANAGER. Click Next on done.

Store the value assigned to POLICY ID as policy_id. It will be used later on fetching metadata in MetaDefender Core.
  1. In Attribute Contract step, navigate to Extend the Contract, add the scopes requested by MetaDefender Core (i.e. username), and click Next.

PingFederate, by default, lists all extended contracts. Within the scope of the instructions, only profile contract is required, all the remaining ones must be deleted.
  1. In Attribute Scopes step, match the scope with its attributes and click Next.
  1. Click Next in Attribute Sources & User Lookup step.
  2. In Contract Fulfillment step, select the appropriate Source and Value, and click Next.
  1. Click Next in Issuance Criteria step.
  2. Review all selected options in Summary tab, then click Save.

Add OAuth client

  1. In homepage, navigate to APPLICATIONS and click OAuth Clients.
  1. Click Add Client in the next page.
  2. Enter CLIENT IDand store to client_id.
  3. Enter NAME.
  4. Choose CLIENT SECRET for CLIENT AUTHENTICATION.
  5. Navigate to CLIENT SECRET, check CHANGE SECRET box, click Generate Secret, and store the generated string as client_secret.

client_id and client_secret will be used later on setting up MetaDefender Core.
  1. Navigate to REDIRECT URIS, fill in a temporary Redirection URI, and click Add.

A temporary redirection URI is used at this step to complete configuration in PingFederate. We will return to update this setting with the correct URI from MetaDefender Core later.
  1. Navigate to ALLOWED GRANT TYPES, and tick Authorization Code.
  2. Navigate to DEFAULT ACCESS TOKEN MANAGER, and select Access Token Manager that was set up previously.
  1. Navigate to OPENID CONNECT, under Policy, select OpenID connect policy that was set up previously.
  1. Click Save to complete.

Set up MetaDefender Core

Install PingFederate certificate

  1. In homepage, go to SECURITY and click SSL Server Certificates.
  1. Click Create New to generate a new certificate.
  1. Complete the information for the new certificate, click Next and Save.

COMMON NAME must refer to the domain or IP address hosting PingFederate.
  1. Activate the new certificate.

Activating the certificate will end all current sessions, and users will need to sign in again into PingFederate using the domain or IP specified in the certificate.
  1. Select the certificate and select Export.
  1. Retain the default settings and click Next.
  2. Click Export to download the certificate.
  1. Install the certificate on the server running MetaDefender Core.
  2. Restart MetaDefender Core for the changes to take effect.

Configure OIDC in MetaDefender Core

  1. Sign in to MetaDefender Core.
  2. In the dashboard, click on User Management in the left sidebar.
  3. On User Management page, select Directories tab and click Add Directory in the top right corner.
  1. In Add Directory page, select OIDC as Directory type, and enter a name for the new directory, such as MDCore-OIDC.
  2. Click Fetch URL.
  1. Enter PingFederate metadata URL and click OK.

PingFederate metadata URL is in format of <host>:<port>/.well-known/openid-configuration?policy_id=<policy_id> , in which:

  • host and port are the host/IP and port of the machine hosting PingFederate. The default port is 9031.
  • policy_id is policy_id that is set to POLICY_ID in the stage of Setup OpenID Connect Policy Management.
  1. Under Service Provider, paste client_id and client_secret to boxes under Client ID and Client secret respectively.
  2. Fill in Host or IP with the host or IP where MetaDefender Core is hosted, such as http://127.0.0.1:8008 for this example.
  1. Copy Login URL and store it as login_url.

login_url is used to update Redirection URI setting in PingFederate in the next stage.
  1. Fill in User Identified by with ${username}.
  2. Select the default role and choose the appropriate role for the login user.
  3. Click Add to complete.
  4. In User Management page, toggle the new directory, MDCORE-OIDC in this example. A dialog box will appear to confirm the action. Once Enable is clicked, all sessions will expire immediately.

Complete configuration in PingFederate

  1. Back to PingFederate, in OAuth, navigate to Clients in the sidebar.
  2. In APPLICATIONS tab, navigate to Redirection URIs, click Edit, modify the URI with login_url copied from MetaDefender Core.
  3. Click Update and Save.

Test the integration

  1. On the home screen of MetaDefender Core, click Login; the user is redirected to PingFederate Sign-on page.
  1. Sign in using the account registered with PingFederate.
  2. If everything goes well, MetaDefender Core dashboard is displayed with the user identity in the top right corner.
  1. Otherwise, access backup login page at <mdcore-host>#/public/backuplogin for trouble shooting.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Configuring SAML Single Sign-on
On This Page
Configuring OIDC Single Sign-onSet up PingFederateConfigurate PingFederateSet up simple Password Credential ValidatorsSet up a simple IdP AdapterSet up Signing, Decryption Keys and CertificatesSet up Authentication PoliciesSet up Policy ContractsSet up Policy SessionsSet up Policy Contract Grant MappingSet up IdP Adapter Grant MappingSet up Resource Owner Credentials Grant MappingSet up Access Token ManagementSet up Access Token MappingsSet up Scope ManagementSetup Authorization Server SettingsSet up OpenID Connect Policy ManagementAdd OAuth clientSet up MetaDefender CoreInstall PingFederate certificateConfigure OIDC in MetaDefender CoreComplete configuration in PingFederateTest the integration