Configure Ping authentication in Cayosoft Guardian
This article explains how to enable Sign in with Ping in the Cayosoft Guardian web portal by configuring OpenID Connect (OIDC) settings in the appsettings.json file. It covers:
- PingFederate (self-hosted/container-based)
- PingOne (Ping Identity SaaS)
Before you begin
- You must have a working Ping setup (PingFederate or PingOne) with an OIDC application/client created and configured. Learn more: Setting up an OIDC application in PingFederate.
- You must configure a Redirect URI for Cayosoft Guardian in Ping, i.e., replace <HOST> in the https://<HOST>/guardian/oidc-connect redirect URI with the host address of Cayosoft Guardian.
- Recommended scopes must be enabled:
openid,email,profile. - Create a test user in Ping (or in the PingFederate user store) that matches a delegated user in Guardian:
- In Cayosoft Guardian, verify user mapping in Settings > Delegation.
IMPORTANT: Keep your ClientSecret secure. Do not commit secrets to source control. Use your organization’s secure secret storage where possible.
-
Enable Ping as an allowed authentication scheme.In
appsettings.json, ensurepingis included inAuthenticationSettings.AllowedAuthenticationSchemes.NOTE: The scheme name is case sensitive and must be exactly
ping(lowercase).Copy{
"AuthenticationSettings": {
"AllowedAuthenticationSchemes": [
"office365",
"ping"
]
}
} -
Add (or update) the
PingAuthenticationSettingssection inappsettings.jsonCommon fields
-
Authority:- PingFederate: the public PingFederate issuer base URL.
- PingOne: the issuer URL (often ends with
/as).
-
ClientId: the OIDC Client ID. -
ClientSecret: the OIDC Client Secret. -
Scopes: recommendedopenid,email,profile. -
ExternalIdClaimandAnchorClaim: typicallysub.
-
Option A: PingFederate configuration
-
For PingFederate,
Authoritymust match theissuervalue in the OIDC discovery document:https://<PINGFEDERATE_HOST>:9031/.well-known/openid-configuration. Use theissuervalue asAuthority.appsettings.json example (PingFederate)
Copy
{
"PingAuthenticationSettings": {
"Authority": "https://<PINGFEDERATE_HOST>:9031",
"ClientId": "Cayo.guardian",
"ClientSecret": "<CLIENT_SECRET>",
"Scopes": [
"email",
"openid",
"profile"
],
"ExternalIdClaim": "sub",
"AnchorClaim": "sub"
}
} - Restart the Cayosoft Guardian service so it reloads configuration.
- Open the Cayosoft Guardian web portal.
- Click Sign in with Ping.
- Sign in using PingFederate credentials.
Option B: PingOne configuration
-
In PingOne, use the issuer value from the application/connection details. Typical format:
https://auth.pingone.com/<ENVIRONMENT_ID>/asappsettings.json example (PingOne using Authority)
Copy{
"PingAuthenticationSettings": {
"Authority": "https://auth.pingone.com/<ENVIRONMENT_ID>/as",
"ClientId": "<CLIENT_ID>",
"ClientSecret": "<CLIENT_SECRET>",
"Scopes": [
"email",
"openid",
"profile"
],
"ExternalIdClaim": "sub",
"AnchorClaim": "sub"
}
} -
You can store PingOne connection info as
BaseUriandEnvironmentId:Copy{
"PingAuthenticationSettings": {
"BaseUri": "https://auth.pingone.com",
"EnvironmentId": "<ENVIRONMENT_ID>",
"ClientId": "<CLIENT_ID>",
"ClientSecret": "<CLIENT_SECRET>",
"Scopes": [
"email",
"openid",
"profile"
],
"ExternalIdClaim": "sub",
"AnchorClaim": "sub"
}
}
- Restart the Cayosoft Guardian service so it reloads configuration.
- Open the Cayosoft Guardian web portal.
- Click Sign in with Ping.
- Sign in using PingOne user credentials.
Comments
0 comments
Please sign in to leave a comment.