search
About CoherentAPI referenceSupportYouTube

PingOne (OIDC)

hashtag
Prerequisites

chevron-rightPermissions required for registering and configuring an app in PingOne.hashtag

The account must have permission to manage applications in PingOne. Ideally the account should be in the Organization Admin role.

hashtag
Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Keycloak (K) and PingOne (P) portals to make it easier to apply the settings.

  1. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  2. (K) Login to the Keycloak Admin Console using your admin credentials.

  3. (K) Click Identity Providers from the left pane.

  4. (K) Expand the Add provider dropdown and choose OpenID Connect v1.0.

  5. (K) Fill in values for the Alias and Display Name fields. The Alias should be a lowercase name without special symbols. Please note this Display Name will appear in the button on the Spark login page.

  6. (K) Copy the Redirect URI value.

  7. (P) In a second browser tab, sign in to PingOnearrow-up-right.

  8. (P) Click on Applications on the left pane.

  9. (P) Click (+) to add a new application.

  10. (P) Enter the Application Name.

  11. (P) Select OIDC Web App for Application Type.

  12. (P) Click Save.

  13. (P) In Configuration click on the edit icon.

  14. (P) Paste the edited Redirect URI into the Redirect URIs field.

  15. (P) Select Token Endpoint Authentication Method as Client Secret Post.

  16. (P) Click Save.

  17. (P) In Configuration expand the URLs.

  18. (P) Copy the OIDC Discovery Endpoint.

  19. (K) Return to Keycloak. Paste the OIDC Discovery Endpoint into the OIDC Discovery Endpoint field.

  20. (P) Switch to PingOne. Copy the Client ID.

  21. (K) Return to Keycloak. In the Client ID field, paste the value copied in the previous step.

  22. (P) Switch to PingOne. Copy the the Client Secret.

  23. (K) Return to Keycloak. In the Client Secret field, paste the value copied in the previous step.

  24. (K) Click Add.

  25. (P) Switch to PingOne. Click on Attribute Mappings.

  26. (P) Click Edit.

  27. (P) Set the following mappings:

    Attributes
    PingOne Mappings

    email

    Email Address

    firstName

    Given Name

    lastName

    Family Name

    groups

    Group Names

  28. (P) Close the Application pane.

  29. (P) Enable the toggle switch for the application.

  30. (K) Return to Keycloak. Click on the Mappers tab and then click on Add mapper.

  31. (K) Create 4 mappers with the following properties:

    1. Key
      Value

      Name

      firstName

      Sync mode override

      Force

      Mapper type

      Attribute Importer

      Claim

      firstName

      User Attribute Name

      firstName

    2. Key
      Value

      Name

      lastName

      Sync mode override

      Force

      Mapper type

      Attribute Importer

      Claim

      lastName

      User Attribute Name

      lastName

    3. Key
      Value

      Name

      email

      Sync mode override

      Force

      Mapper type

      Attribute Importer

      Claim

      email

      User Attribute Name

      email

  32. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

hashtag
Configure PingOne groups to Spark user groups

It is recommended to use two separate browser tabs for the Keycloak (K) and PingOne (P) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the tenant-admin role.

  1. (P) In the first tab sign in to PingOnearrow-up-right.

  2. (P) Select Directory in the left pane and select Groups.

  3. (P) Click (+) to add a new group.

  4. (P) Enter tenant-admin into Group name and click Save.

  5. (P) Click on the Users tab and then click on Add Individually.

  6. (P) Select your test user and click Save.

  7. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  8. (K) Login to the Keycloak Admin Console using your admin credentials.

  9. (K) Select Identity Providers from the left pane and then the identity provider you configured in the previous section.

  10. (K) Select the Mappers tab and then Add mapper.

  11. (K) Provide the following values.

    Name
    Value

    Name

    tenant-admin

    Sync mode override

    force

    Mapper type

    Advanced Claim to Group

  12. (K) Click Add Claims.

  13. (K) Provide the following values:

    Key
    Value

    groups

    tenant-admin

  14. (K) Leave Regex Claim Values as Off (which is the default).

  15. (K) Click Select Group, choose tenant-admin , then click Select.

  16. (K) Click Save.

  17. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in tenant-admin.

  18. We highly recommend creating at least a few additional groups relevant for Private tenants:

    • Group for supervisor:pf user accounts. In Spark, supervisor:pf members can manage permissions across all folders.

    • Groups for "standard" user accounts, e.g. user:teamA, user:teamB. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple groups for "standard" user accounts can be useful to separate access between teams.

Last updated