In the previous instalments I demonstrated how to implement OpenID Connect (OIDC) applications with Keycloak and AzureAD Identity Platform leveraging Kyma functions.

This brief is to focus on PingOne identity platform acting as an OpenID Connect (OIDC) provider to allow to create OIDC applications for user authentication.

PingIdentity is a popular, enterprise-grade identity management platform.

Kyma functions offer a first class, enterprise-grade cloud native development and workload orchestration experience.

Let’s see how these two can work together in tandem as a powerful cloud native integration instrument.

Pre-requisistes:

• Access to Kyma runtime on SAP BTP (Free-tier, Free-trial, etc.)
• Access to PingOne identity platform (https://www.pingidentity.com/en/support/faq.html#trial)

Disclaimer:

• The ideas presented in this blog are personal insights thus not necessarily endorsed by SAP.

• This is not a tutorial. Please note all the code snippets and gists are provided “as is”.
• This is a playground only. All the x509 certificates, bearer access and refresh tokens and the likes have been redacted.
• Images/data in this blog post may come from trial sandbox, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Goto Connections/Applications/New Application/Advanced Configuration/OIDC Configure:

A simple 4-step wizard would open inviting you to create application profile, to add redirect uris, to grant user resources access authorizations (scopes) and last but not least to map user authentication attributes like email address, user name etc.

On a side note, you may watch any public youtube video describing this process for instance:

• https://videos.pingidentity.com/detail/videos/pingone-sso/video/6069796987001/how-to-create-a-new-app-connection
• https://youtu.be/NTlKjMtk58s?t=129

After completing the wizard the newly created application would appear in the applications list.

PingIdentity admin console offers full control over the application’s settings and its life cycle.

Each application can be entirely disconnected (disabled) and/or its settings be amended at any point of time at the discretion of the platform administrator.

Good to know:

• PingIdentity supports OpenID connect protocol with a variety of grant types to authenticate users (authorization code, implicit, client credentials, etc.)
• Different grant types can be combined together.
• As we have enabled the authorization code grant type, we need to provide a redirect URI.

• https://auth.pingone.eu/<env>/as/.well-known/openid-configuration

Please refer to the following gist for more details.

This has been done programmatically. I opted for simplicity and did it in nodejs with the openid-client library as an inline kyma function.

This is shown in the following gist.

Last but not least let us leverage the power and simplicity of a kyma function…as shown here.

Let’s expose a function’a user JWT endpoint via an API rule and eventually generate a user’s JWT by calling the /openid endpoint as shown here.

PingIdentity resembles to some extent our own SAP IAS. For instance, applications and users management are quite a straightforward task. It is also easy to upload your own certificate keypairs for SAML assertion signing and/or encryption.

Furthermore, the concept of an environment can be assimilated to a SAP IAS tenant.

As the PingIdentity trial period is relatively short I did not have time to explore its more advanced features like for instance the federation or the on-premise LDAP connectivity.

Overall, all the concepts and terminology from the pingOne documentation are rather consistent and comparable to the experience you may have gained with other identity platforms like: SAP IAS, Okta, Keycloak and AzureAD, etc…