SSO with OIDC

Overview

This guide demonstrates how to configure PingFederate as an OIDC Identity Provider (IdP) and TigerGraph as a Service Provider (SP), enabling users to log in securely using OpenID Connect (OIDC) for Single Sign-On (SSO).

PingFederate is a federation server that supports identity management, SSO, and API security using various identity standards like OAuth, SAML, and OpenID Connect (OIDC). We also have instructions for SSO with SAML.

This guide will help you set up PingFederate for OIDC and integrate it with TigerGraph to provide a seamless login experience.

Prerequisites

Before proceeding, ensure you have the following:

  • PingFederate Version 12.1.0.4 or later is installed and running.

  • TigerGraph instance (v3.10 or later) accessible at http://<tigergraph-host>:14240.

  • Administrative access to both PingFederate and TigerGraph servers.

  • A domain name to avoid SSL certificate issues when accessing PingFederate.

Install PingFederate

Follow these steps to install PingFederate on your server (details on system requirements are available in the PingFederate installation documentation)

  1. Download and install PingFederate by following the instructions on the PingFederate Download Page.

  2. Set up Java and ensure ports 9999 (admin console), 9031 (runtime), and 443 (SSL) are open on PingFederate.

  3. Access PingFederate using a web browser at https://<PingFed_host>:9999/.

Configure PingFederate for OIDC

To configure PingFederate for OIDC, follow these steps:

Add a User

  1. Log in to the PingFederate Console. ' Navigate to Administrative Accounts to add a new user.

  2. Add a username, e.g., test. Add an email, e.g., test1@<your company>.com.

Create Password Credential Validator (PCV)

  1. In PingFederate, go to Password Credential Validator.

  2. Create a SimplePCV instance and select “Simple Username Password Credential Validator” as type.

  3. Save the PCV.

Create IDP Certificate

  1. Navigate to “Signing & Decryption Keys & Certificates” in PingFederate.

  2. Add a certificate for the IDP Server using the <PingFed_host>

Add Access Token Manager

  1. Navigate to Applications > OAuth > Access Token Management.

  2. Click Create New Instance.

  3. In the Type tab, input the name of the instance (e.g., TigerGraphTokenManager).

  4. In the Session Validation section, enable the following options:

    • Select Include Session Identifier in Access Token.

    • Check Update Authentication Session Activity.

  5. Under the Access Token Attribute Contract, add the attribute Extend the Contract and select usernameFromATM.

  6. In the Resource URIs tab, add the following URI:

  7. In the Access Control tab, add your client (e.g., the client you created earlier).

  8. Click Save to apply the changes.

Create OIDC Policy

  1. Go to Applications > OAuth > OpenID Connect Policy Management.

  2. Add a new policy and set the Access Token Manager to the one you created above (TigerGraphTokenManager).

  3. In the Attribute Scopes tab, include email scope.

Configure Access Token Mappings

  1. Navigate to Applications > OAuth > Access Token Mappings.

  2. Select your context and access token manager, then click Add Mapping.

  3. In the Contract Fulfillment tab, configure the following:

    • Select your contract.

    • Choose Adapter for the source and username for the value.

  4. Click Save to finalize the mapping.

Add IdP Adapter

  1. Go to Authentication > Integration > IdP Adapters and click Create Adapter Instance.

  2. Choose HTML Form IdP Adapter as the Instance Type.

    • Set Instance Name and Instance ID to SSOTestIdPHTML.

  3. Click Next and add SimplePCV as the Password Credential Validator.

    • Set Session State to Per Adapter.

  4. In the Core Contract section, select username.

  5. Click Next, and in Adapter Attributes, check Pseudonym for username.

  6. In Adapter Contract Mapping, map username to $(username).

  7. Click Done, review the summary, and click Finish.

Create Client

  1. Navigate to Applications > OAuth. Click Add Client

  2. Input the following:

    • Client ID: Choose a unique identifier for the client (e.g., TigerGraphClient).

    • Name: Provide a meaningful name (e.g., TigerGraph OIDC Client).

  3. For Client Authentication, select Client Secret and click Generate Secret.

    • Important: Make sure to save the generated secret as you will need it in the TigerGraph configuration.

  4. Under Redirect URIs, input the URI:

  5. Under Restrict Common Scopes, select the appropriate scope (e.g., openid, email, profile).

  6. For Allowed Grant Types, select:

    • Authorization Code and Client Credentials.

  7. In Access Token Validation, select the Default Access Token Manager you created earlier.

    • Choose Restrict to Default Access Token Manager.

  8. For the ID Token Signing Algorithm, select RSA using SHA-256.

  9. Click Save to apply the configuration.

Set Up SP Connection in PingFederate for OIDC

In PingFederate, create an SP connection for OIDC by following these steps:

  1. Navigate to Applications > Integration > SP Connections (hyperlink to SP Connections) and click Create Connection.

  2. Select Browser SSO Profiles connection template and click Next.

  3. On the Connection Options page, check Browser SSO and click Next.

  4. Skip the Metadata URL step and click Next.

  5. Enter Partner’s Entity ID: https://<PingFed_host>:9031 and Base URL: http://<tigergraph-machine-hostname>:14240, then click Next.

  6. Click Configure Browser SSO on the Browser SSO tab.

  7. Enable both IdP-Initiated SSO and SP-Initiated SSO on the SAML Profiles tab, then click Next.

  8. Set the Assertion Lifetime and click Next.

  9. Choose Standard Identity Mapping on the Assertion Creation tab, then click Next.

  10. Change Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, then click Next.

  11. Select the Authentication Source and Adapter Instance, then click Next.

  12. Set SAML_SUBJECT Source to your adapter and Value to username, then click Next.

  13. Specify any authorization conditions (optional), then click Next and Done.

  14. On the Protocol Settings tab, set Binding to POST and Endpoint URL to http://<tigergraph-machine-hostname>:14240/api/auth/saml/acs, then click Next.

  15. On the Signature Policy tab, check SIGN RESPONSE AS REQUIRED and click Next. Click Done on the Protocol Settings Summary and then Next on the Credentials tab.

  16. Select the signing certificate created earlier, click Next, and then click Done on the Digital Signature Settings Summary.

  17. On the Activation & Summary tab, review the settings and click Save.

Configure and Test OIDC in TigerGraph

Configure OIDC in TigerGraph using gadmin

  1. On the TigerGraph server, use the following gadmin command to enter OIDC settings:

    • gadmin config entry OIDC

  2. Fill in the following parameters using the metadata found at the provided OpenID Configuration URL

Parameter Value

Security.SSO.OIDC.Enable

true

Security.SSO.OIDC.CallBackUrl

http://<tigergraph-machine-hostname>:14240

Security.SSO.OIDC.ResponseType

code

Security.SSO.OIDC.Scope

openid profile email

Security.SSO.OIDC.OP.SSOUrl

https://<pingfederate-host-name>:9031/as/authorization.oauth2

Security.SSO.OIDC.OP.Issuer

https://<pingfederate-host-name>:9031

Security.SSO.OIDC.OP.ClientId

TigerGraphTest

Security.SSO.OIDC.OP.ClientSecret

<client-secret>

3 Apply the configuration: gadmin config apply -y

Final Steps in Admin Portal

For the final steps, see the Admin Portal documentation for detailed instructions on configuring users and verifying OIDC login.

Troubleshooting

Issue Solution

SSL Certificate Warnings

Use a domain (e.g., idp.example.com) instead of an IP for PingFederate.

Invalid Client Secret

Ensure the secret matches the one configured in PingFederate.

User Not Authorized

Verify proxy group rules and role assignments in Admin Portal.

Login Redirect Failures

Confirm the Redirect URI in PingFederate matches http://<tigergraph-host>:14240/api/auth/oidc/callback.