How-to configure Ping Identity OIDC authentication with Vault

Avatar
Rowan Smith
  • Updated

Use Case

This tutorial provides details on how to configure Ping Identity and Vault in order to allow operators to authenticate to Vault via Ping Identity using OIDC.

Notes

The following should be noted before beginning:

  1. This tutorial uses the standard mount point path in Vault called oidc.
  2. It does not implement any additional configuration in Ping Identity in regards to MFA or logon policy as it is intended as a starting point only.
  3. Tested on Vault Enterprise 1.14.0.

Procedure

The following is completed within the Ping Identity web interface:

  • Open the Ping Identity interface and navigate to Connections > Applications, then add a new application, selecting the Application Type as OIDC Web App.

  • Open the newly created application in Ping Identity and select the Configuration tab, then enter edit mode using the pencil icon.

  • Populate the required Redirect URIs field accordingly, in this example I add each of the following entries separately: https://vault.nicecorp.org:8200/ui/vault/auth/oidc/oidc/callback and http://localhost:8250.

    • In this demo the Vault address is https://vault.nicecorp.org:8200.

    • The first 'oidc' in the redirect URI above references the mount point within Vault.
    • Login via Vault CLI uses the localhost:8250 address and is included as a redirect URI.
  • Save the configuration changes once all necessary URI's have been added.
  • While still on the Configuration tab expand the General section in the bottom half of the page.
  • Copy the Client ID value and export it as the PING_CLIENT_ID variable in a terminal session, i.e. export PING_CLIENT_ID=4534534-bb1d-43f7-862f-4354354353.
  • Copy the Client Secret and export it as the PING_SECRET variable in the same terminal session, i.e. export PING_SECRET=b56435b43t43~b43t3434-3tTF6B_~t34bt463434~dwqdwqdqwdqw.
  • Copy the Issuer URI and export it as the PING_DISCOVERY_URL variable in the same terminal session, i.e. export PING_DISCOVERY_URL=https://auth.pingone.asia/32423432a-f7d0-43db-b0d2-cjm324932cn849/as.
    • The TLD of the domain will change according to the Ping Identity customer account.
    • The UUID string reflects the Environment ID of the Ping Identity customer account.
  • In the terminal session run echo $PING_CLIENT_ID; echo $PING_SECRET; echo $PING_DISCOVERY_URL and confirm three unique values are displayed.

The following steps will be performed in the terminal:

  • Enable the OIDC auth method in Vault using vault auth enable oidc
  • Create a role for use with the OIDC auth method in Vault called ping-admin-role using vault write auth/oidc/role/ping-admin-role bound_audiences="$PING_CLIENT_ID" allowed_redirect_uris="https://vault.nicecorp.org:8200/ui/vault/auth/oidc/oidc/callback" allowed_redirect_uris="http://localhost:8250/oidc/callback" user_claim="sub" token_policies="admin"
    • Adjust your allowed_redirect_uris to suit your environment.
    • Add additional allowed_redirect_uris entries as separate values.
  • Write the OIDC configuration to Vault using vault write auth/oidc/config oidc_discovery_url=$PING_DISCOVERY_URL oidc_client_id=$PING_CLIENT_ID oidc_client_secret=$PING_SECRET default_role=ping-admin-role
  • Login to Vault UI while selecting OIDC as the auth method or via the CLI with a command such as vault login -method=oidc role=ping-admin-role
  • If either login request fails with an invalid redirect uri response from Vault or Ping Identity you will need to add the missing entry as a separate allowed_redirect_uris entry to the role.
    • If still experiencing issues with incorrect redirect uri's you can monitor the Vault operational logs in trace mode while performing an OIDC login in a terminal using the command vault monitor, as Vault will report a WARN level event such as [WARN] auth.oidc.auth_oidc_934d53dc: unauthorized redirect_uri: redirect_uri=https://vault.meancorp.org:8200/ui/vault/auth/oidc/oidc/callback any time an unauthorised redirect uri is observed.

Additional Information

Articles in this section

See more

Related articles