Page History
...
Policy ID | A unique identifier of the policy |
Name | A unique and recognizable name for this policy |
Access Token Manager | JSON Web Tokens |
INCLUDE USER INFO IN ID TOKEN | ✅ Checked |
Click Next.
Under Attribute Contract leave only email, family_name and given_name:
Click Next.
Under Attribute Scopes add profile and select the email attribute manually. Don’t forget to press Add.
Click Next.
Under Attribute Sources & User Lookup, click Add Attribute Source. Fill in the following information for the attribute source datastore:
Attribute Source ID | A unique identifier of the attribute source |
Attribute Source Description | A description for the attribute source |
Active Data Store | pingdirectory |
This will automatically fill in the store type as LDAP.
Click Next.
Under LDAP Directory Search tab fill in the following:
Base DN | dc=example,dc=com |
Attributes to return from search: Select <Show all attributes> and add the following attributes: | mail cn sn |
Click Next.
Under LDAP Filter put the following as filter:
Code Block | ||
---|---|---|
| ||
entryUUID=${Username} |
Click Done.
Back on the OIDC Policy management under Contract Fulfillment select the source to take the corresponding OAuth claims from as follows:
Go to Summary page and click Save.
Creating an OAuth client in PingFederate
Open PingFederate’s administrative UI, go to Applications > OAuth > Clients and create a New Client.
Fill in the following fields:
Client ID | The <client id> |
Name | A unique and recognizable name |
Client Authentication | CLIENT SECRET. After selecting this option a new field called Client Secret will be displayed underneath |
Client Secret | The <client secret> |
Allowed Grant Types | Authorization Code |
OpenID Connect > Policy | The policy, created in the previous section |
UI Text Box | ||
---|---|---|
| ||
The <client id> and <client secret> are provided by Chaos during the onboarding process. |
Click Save.
Configure User datastore
In this guide we are using Ping Identity’s own LDAP solution - PingDirectory.
If your setup depends on another user repository type, some steps may be different. To start with LDAP navigate to System > Data & Credential Stores > Data Stores and Add New Data Store.
Pick a unique name and select LDAP as store type. Follow the instructions in PingFederate’s documentation on how to configure an LDAP connection.
Create a SCIM SP Connection
In Applications > Integration > SP Connections click Create Connection.
Select Do not use a template for this connection and click Next.
On the Connection Type tab select Outbound Provisioning and from the new drop-down menu select Type: SCIM Connector.
UI Text Box | ||
---|---|---|
| ||
The SCIM Connector type will only show if you’ve successfully installed the SCIM Connector from the PingFederate configuration section above and restarted PingFederate after doing so. Using SCIM 1.1 Service Provider will not work. |
Click Next.
In the General Info tab fill in:
Partner’s Entity ID | A unique ID identifying the partner connection |
Connection Name | A unique and recognizable name for this connection |
Click Next.
On the Outbound Provisioning click Configure Provisioning.
In the Target tab fill in the following:
SCIM URL | https://dev.scim.chaos.com/<tenant id>/v2 |
SCIM Version | 2.0 |
Authentication Method | OAuth 2 Bearer Token |
Access Token | <access token> |
Unique User Identifier | workEmail |
Users API Path | /Users |
Provisioning Options | Select:
|
Remove User Action | Possible options are:
Chaos recommends picking Delete User |
UI Text Box | ||
---|---|---|
| ||
The <tenant id>, part of the SCIM URL and the <access token> are provided by Chaos during the onboarding process. |
Click Next. In the Manage Channels tab press the Create button.
Pick a unique and recognizable Channel Name.
Click Next.
In the Source tab select the DataStore, configured earlier in this guide. Click Next.
In the Source Settings tab fill in the following:
Entity GUID Attribute | entityUUID |
GUID Type | Text |
Group Member Attribute | uniqueMember |
User Object Class | person |
Group Object Class | groupOfUniqueNames |
Changed Users/Groups Algorithm | Timestamp No Negation |
Timestamp Attribute | modifyTimestamp |
Account Status Attribute | accountLocked |
Account Status Algorithm | Flag |
Default Status | true |
Flag Comparison Value | true Note that this value is case sensitive. If the attribute value is set as TRUE in LDAP, the comparison here will not pass and the account won’t be locked. |
Flag Comparison Status | false |
UI Text Box | ||
---|---|---|
| ||
These settings are only applicable in case you are using PingDirectory (Ping Identity’s LDAP server) as a user repository. Consult PingFederate’s documentation if you are using a different User repository datastore. |
Click Next.
In the Source Location tab fill in:
Base DN | dc=example,dc=com |
Users Filter | (&(uid=*)(objectClass=person)) |
Click Next.
In the Attribute Mapping tab configure:
userName | uid |
workEmail | |
familyName | sn |
givenName | cn |
UI Text Box | ||
---|---|---|
| ||
Configure any additional fields, listed in Basics > SCIM as per your schema definition and needs. |
UI Text Box | ||
---|---|---|
| ||
The required active field is automatically calculated based on the configuration, defined in the Source Settings tab earlier. It depends on the Account Status Attribute and Account Status Algorithm and the flag combinations set in that section. An excerpt from the PingFederate’s official documentation reads: "Flag Comparison Status: Indicates whether the user is enabled or disabled when the flag has the value specified in the Flag Comparison Value field. Setting the value to true equals enabled, while setting the value to false equals disabled. Example: if the Account Status Attribute is set to nsaccountlock, and the Flag Comparison Value is set to true, and the Flag Comparison Status is set to false, then any users with nsaccountlock=true are disabled." |
Click Save to save the SP Connection.