In the previous instalments I demonstrated how to implement OpenID Connect (OIDC) applications with Keycloak and AzureAD Identity Platform leveraging Kyma functions. This brief is to focus on PingOne identity platform acting as an OpenID Connect (OIDC) provider to allow to create OIDC applications for user authentication. |
PingIdentity is a popular, enterprise-grade identity management platform. Kyma functions offer a first class, enterprise-grade cloud native development and workload orchestration experience. Let's see how these two can work together in tandem as a powerful cloud native integration instrument. Pre-requisistes:
Disclaimer:
|
That's a relatively straightforward operation that you can perform from your PingIdentity admin console using a new application wizard, as depicted below: Goto Connections/Applications/New Application/Advanced Configuration/OIDC Configure: A simple 4-step wizard would open inviting you to create application profile, to add redirect uris, to grant user resources access authorizations (scopes) and last but not least to map user authentication attributes like email address, user name etc. On a side note, you may watch any public youtube video describing this process for instance:
After completing the wizard the newly created application would appear in the applications list. PingIdentity admin console offers full control over the application's settings and its life cycle. Each application can be entirely disconnected (disabled) and/or its settings be amended at any point of time at the discretion of the platform administrator. Good to know:
|
WHAT | HOW |
a. Get OIDC provider metadata. | We can discover PingOne OIDC provider metadata by appending the /.well-known/openid-configuration suffix to the provider environment (tenant) path as follows:
Please refer to the following gist for more details. |
b. Retrieve a user JWT with PingOne OIDC provider | This has been done programmatically. I opted for simplicity and did it in nodejs with the openid-client library as an inline kyma function. This is shown in the following gist. |
c. Use an API Rule to expose a user JWT kyma function endpoint | Last but not least let us leverage the power and simplicity of a kyma function...as shown here. Let's expose a function'a user JWT endpoint via an API rule and eventually generate a user's JWT by calling the /openid endpoint as shown here. |
PingIdentity resembles to some extent our own SAP IAS. For instance, applications and users management are quite a straightforward task. It is also easy to upload your own certificate keypairs for SAML assertion signing and/or encryption. Furthermore, the concept of an environment can be assimilated to a SAP IAS tenant. As the PingIdentity trial period is relatively short I did not have time to explore its more advanced features like for instance the federation or the on-premise LDAP connectivity. Overall, all the concepts and terminology from the pingOne documentation are rather consistent and comparable to the experience you may have gained with other identity platforms like: SAP IAS, Okta, Keycloak and AzureAD, etc... |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
34 | |
25 | |
12 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |