Skip to content

Configuring PingIdentity® as an External IDP for EDI

Ping must be configured with the proper Applications, Resources, and attribute mappings to satisfy the Identity Provider requirements of EDI.

1. Create a Resource

1.1 Create a Ping Resource for OSDU on AWS.

  • Resource audience must have the value OSDU.

Ping Resource

1.2 Add two scopes to the resource

  1. osduOnAws/osduOnAWSService
  2. osduOnAws/osduOnAWSUser

Ping Resource Scopes

1.3 Add attribute mapping for username

The resource must have an attribute mapping for Email Attribute to username. The attribute name of username aligns with what OSDU ISTIO filters expect.

Ping Resource Attributes

2 Create an Application for the Service Principal

2.1 Create a OIDC Web App type Application

Ping Application Service

2.2 Configure the application to use Client Credentials auth flow and Client Secret Basic as Token Endpoint Authentication Method

Ping Application Service Config

2.3 Add osduOnAWS/osduOnAWSService as an allowed scope

Ping Application Service Scopes

2.4 Turn on the Application

2.5 Confirm Service Principal Application is properly configured

Ping Application for Service Complete

3 Create an Application for the Human Users

3.1 Create an OIDC WebApp type Application

Ping Application Humans

3.2 Add the EDI Console's Login URL as a redirect URL

https://my-env.edi.awsenergy.47lining.com/login

Ping Application for Humans Redirect URI

3.3 Set Token Endpoint Authentication Method to NONE

Ping Application for Humans Scopes

3.4 Add the EDI Console's Login URL as a Signoff URL

https://my-env.edi.awsenergy.47lining.com/login

Ping Application for Humans Signoff URI

3.5 Add osduOnAWS/osduOnAWSUser as an allowed scope

Ping Application for Humans Scopes

3.6 Turn on the Application

3.7 Confirm Human User Application is properly configured

Ping Application for Humans Complete

4 Validate Service Principal Authentication

Use a tool such as Postman, execute the authentication flow for the Service Principal.

Ping Authentication Test for Service Principal

The access token received must have scope of osduOnAws/osduOnAWSService

Ping Authentication Test for Service Principal Token

5 Validate Human User Authentication

Use a tool such as Postman, execute the authentication flow for a human user.

Ping Authentication Test for Humans

The access token received must contain a username attribute with the value matching the user's email address. The value of this attribute will be used to map a user to their entitlements in OSDU.

Ping Authentication Test for Humans Token

6 Confirm JWKS Endpoint populates alg field

By default, Ping does not populate the alg field in the JWKS endpoint. This field must be populated for IDP integration with EDI.

The default Ping JWKS endpoint is https://auth.pingone.com/<ping-environment-id>/as/jwks

Some Ping commercial offerings have features to set the alg field in the Ping-provided JWKS endpoint. An alternative is to create a proxy which adds the alg field to the JWKS information and use the proxy endpoint when configuring EDI.