Installing PingFederate
The following list is a high-level overview of the steps that you need to follow to install PingFederate. Each section contains the steps that you need to follow to complete the task.
Step 1: Download PingFederate
Download the latest build of the minor version and patch of PingFederate supported by your product, as indicated by its system requirements.
Step 2: Obtain PingFederate license
 |
PTC no longer provides PingFederate product or licenses on the PTC downloads page. Beginning April 1, 2022, new PTC products entitlements will not include a PingFederate license by default. New customers choosing to use PingFederate must contract directly with PingIdentity to purchase a PingFederate license. PTC customers, who were previously entitled prior to April 1st, 2022, can still request a PingFederate license by contacting PTC Technical Support, this includes requests for license renewals.
PTC Cloud customers will be provided a PingFederate license if required as part of the provided PTC offering.
|
Step 3: Install PingFederate
For PingFederate 11.0 installation instructions, see Installing PingFederate.
Step 4: Apply the patch on the PingFederate installation
After installing PingFederate, you need to apply the respective PingFederate patch on the installed PingFederate installation. The patch should be applied according to the instructions provided by PingFederate.
Step 5: Configure PingFederate and deploy the PingFederate license file
1. From a Command Prompt window, browse to PingFederate/bin, and execute the run.bat on Windows or run.sh on Linux to start PingFederate.
It might take sometime to start PingFederate.
2. When the message PingFederate running is returned, open the PingFederate URL in the following format in your browser: https://<hostname.domain.com>:9999/pingfederate/.
3. If certificate error prompts are displayed, accept them to continue with the setup.
4. Follow the instructions in the PingFederate Setup screens until setup finalization.
5. Confirm that PingFederate has been set up by logging in through a new browser session. Navigate to the PingFederate URL in the https://<hostname.domain.com>:9999/pingfederate/ format, and sign in with your newly created administrator user name and password.
Step 6: Define SAML 2.0 Entity ID
|
|
In PingFederate 11, entityID is not defined as part of PingFederate initial settings done in previous steps. Follow the below mentioned steps to define the entityID.
|
1. Navigate to PingFederate administrative console.
2. Search Protocol Settings. Open the search results.
3. Enter your entityID in SAML 2.0 ENTITY ID under Federation Info tab. Click Save.
Step 7: Complete cross-domain configuration for the SameSite cookie attribute
|
|
If you are using PingFederate 11, the sameSite attribute already exists and has default value as “None” in the jetty-runtime.xml file. Steps 1 and 2 are not required in this case.
<Call name="setAttribute">
<Arg>org.eclipse.jetty.cookie.sameSiteDefault</Arg> <Arg>None</Arg> </Call> |
If PingFederate and/or ThingWorx and/or the IdP are in different domains, then you have to enable the SameSite cookie attribute. To do this, in the <PingFederate Installation Folder>/etc/jetty-runtime.xml file, set the value of the sameSiteSpecifier attribute within the baseHttpConfig element to None.
<New id="baseHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<!-- ... -->
<Set name="headerCacheSize">512</Set>
<Set name="sameSiteSpecifier">None</Set>
<!-- … -->
</New>
<!-- ... -->
<Set name="headerCacheSize">512</Set>
<Set name="sameSiteSpecifier">None</Set>
<!-- … -->
</New>
|
|
To complete cross-domain support, you must apply similar changes to Tomcat. For more information, see the PTC Tech Support article.
|
Step 8: Configure PingFederate to always return scope
Create or edit the oauth-scope-settings.xml file that is available in the <PingFederate Installation Folder>/server/default/data/config-store location as follows:
<?xml version="1.0" encoding="UTF-8"?>
<z:config xmlns:z="http://www.sourceid.org/2004/05/config">
<z:item name="always-return-scope-for-authz-code">true</z:item>
</z:config>
<z:config xmlns:z="http://www.sourceid.org/2004/05/config">
<z:item name="always-return-scope-for-authz-code">true</z:item>
</z:config>
Step 9: Restart PingFederate
Restart the PingFederate server.