Ping Identity
Learn how to configure Ping Identity as an identity provider (IdP) to work with Pomerium.
While we do our best to keep our documentation up to date, changes to third-party systems are outside of our control. Refer to Adding an application from Ping's documentation as needed, or let us know if we need to update this page.
Before you start
To complete this guide:
- Install Pomerium.
- Create a free PingOne account. (This guide uses a PingOne for Workforce account.)
Configure PingOne
After creating a PingOne account and signing in, you'll be directed to the PingOne console.
Create an OIDC web app
In the PingOne console:
- From the Applications sidebar menu, select Applications and create a new application (+).
- Enter an Application Name and an optional description or logo.
- Select OIDC web app and Save.
Configure the OIDC web app
To configure your OIDC web app:
- Select the Configuration tab, then select the edit icon.
- In the Redirect URIs field, enter your authenticate service URL with the
/oauth2/callbackpath appended to it. - Select Save.
Next, configure attribute mappings:
- Select the Attribute Mappings tab, then select the edit icon.
- Select +Add.
- In the Attributes field, enter email.
- In the PingOne Mappings dropdown menu, select Email Address.
- Select Save.
Enable the OIDC web app with the toggle button:
Save the following details from the Configuration tab (you need these to configure Pomerium):
- Client ID
- Client Secret
- Issuer URL
Configure Pomerium
Update your Pomerium configuration to use Ping as the IdP:
- Zero
- Core
- Enterprise
idp_provider: 'ping'
idp_provider_url: 'https://auth.pingone.com/720dbe8a-83ed-48e1-9988-9928301ae668/as'
idp_client_id: 'CLIENT_ID'
idp_client_secret: 'CLIENT_SECRET'
See Groups - Directory Sync below for Enterprise configuration steps.
Configure Groups
- Custom Claim (Zero, Core)
- Directory Sync (Enterprise)
Custom Claim (Zero, Core)
A groups claim can be added to tokens returned from Ping by adding the claim to the "Attribute Mappings":
Now, when a user signs in their token will include a custom groups claim that contains groups they are a member of. You can use the claim PPL criterion in your authorization policy:
allow:
and:
- claim/groups: 49dfb9e6-f81f-4a1c-b4a3-d0122ebe4aab
The groups claim contains group IDs, not group names.
Directory Sync (Enterprise)
Pomerium Enterprise
Directory Sync is a feature available only in Pomerium Enterprise.
Create a Ping Worker application
In order for Pomerium to validate group membership, you need to configure a Worker application.
In the PingOne console:
- From the Applications sidebar menu, select Applications and create a new application (+).
- Enter an Application Name and an optional description or logo.
- Select Worker and Save.
In the Overview tab, save the following configuration details:
- Client ID
- Client Secret
- Environment ID
Configure Pomerium Enterprise Console
In the Enterprise console:
- Select Settings.
- Select Identity Providers.
- Select Ping and enter the Client ID, Client Secret, and Environment ID.
