Breadcrumbs

PingFederate OIDC

Feature

PingFederate OIDC is an option to enable OAuth2 Authentication with Germain UX.

Configuration

Provider side

Check/set the configuration in the provider accordingly, take notes, as those values will be used in Germain config.

image-20231120-183204.png
OAuthAuthentication configuration - provider


image-20231120-180152.png
Mapping group from OAuth Provider


Germain side

  1. Sign in to your Germain application as an administrator.

  2. Go to System > System Settings > Root Config (Advanced).

  3. Navigate to monitoringConfig > systemConfig > authentication. In AuthenticationConfig, set the following:

    • defaultRedirectPath: workspace URL (e.g., http://localhost:8080/germainapm/workspace/app)

      2e989fcb-0b9f-4d67-a433-ec63ccdd5aa3.png


  4. Go to System > Auth Settings > Authentication.

  5. Click the Plus button to add a new Authentication Provider.

  6. Select OAuth Provider and click next.

    image-20221209-133232.png
    Select OAuth provider - Germain UX

  7. Configure the provider settings:

    • Provider Name: Name for your Auth Provider

    • Client ID: <Client ID Copied from OAuth provider>

    • Client Secret: <Client Secret Copied from OAuth provider> (or empty if using a public OAuth client - note this is not recommended, if Client ID is empty, PKCE is used by default)

    • Authorization Grant Type: authorization_code

    • Redirect URI Template: {baseUrl}/login/oauth2/code/{registrationId}

      • [No need to substitute baseUrl or registrationId]

    • Authorization URI: https://<yourOauthProvider>/as/authorization.oauth2

      • Add any additional parameter as necessary (e.g ?acr_values=R1_AAL1_MS-AD-Kerberos)

    • Token URI: https://<yourOauthProvider>/as/token.oauth2

    • User Info URI: https://<yourOauthProvider>/ldp/userinfo.openid

    • JWK Set URI: https://<yourOauthProvider>/pf/JWKS

    • User Name Attribute: sub

    • JWS Algorithm: ES256

    • Role List Path: msad_groups

      • In case the roles will be controlled in the provider

    • Scope values: openid, profile, address, email, phone

    • Use PKCE: enable this to force using PKCE

      image-20231120-175406.png


  8. Click Finish.

  9. Restart the Tomcat services to apply the changes.

  10. If you have any issues with logging in with your OAuth provider after restarting, you can enable DEBUG logging in the REST service for the following package com.germainsoftware.apm.auth.security This will provide additional logging in the REST service log file (when a login attempt is made) to help troubleshoot any configuration issues.

Once completed, you should get automatically signed in once you access the Germain page if you have access.


Service: Authentication

Feature Availability: 2023.4 or later