PingFederate and OAuth server configuration steps: 

  1. Server Configuration > Server Settings > Roles and Protocols screen. Select the Enable OAuth 2.0 Authorization Server (AS) role check box. Select the OpenID Connect check box. Select Enable Identity Provider then SAML 2.0 and WS-TRUST check boxes.   Save changes (or hit Next button until Save appears).

  2. Server Configuration > SSL Server certificates > Create one (make sure it's CN matches the server name to avoid certification errors when accessed from the clients).

  3. Server Configuration > Trusted CAs > Import the just created cert (this same certificate will need to be installed on the client side in 'Trusted Root Certification Authorities' store).

  4. Server Configuration > Signing & Decryption Keys & Certificates > Create New (follow instructions to create a new signing certificate that will be used later to validate access tokens for Resource Owner Password flow.  Ex. I created one for my dev environment with a CN that hints to its use: CN=Config Signing Cert, OU=Dev, O=Ping, L=Denver, ST=CO, C=US).

  5. Server Configuration > Password Credential Validators > Create New Instance. Enter values for Instance Name (ex.'UserPass') and ID, Select Type: Simple User Name Password Validator > Next. In the Instance Configuration screen Add a new row to 'Users' > Add all your test user names and passwords (store at least one of these values because these are the user(s) that will be added in OneStream security with PingIdentity Authentication Provider Type). Hit Next until able to Save.

  6. OAuth Server > Scope Management > Add scopes: address, email, openid, phone, profile > Save

  7. Identity Provider > Manage IdP Adapter Instances > Create Instance: Example: Name = HTMLFormSimplePCV; ID=HTMLFormSimplePCV; Type: HTML Form IdP Adapter > Next. In IdP Adapter tab add a new row to Credential Validators, select 'UserPass' created above. Extended Contract tab: policy.action and username should be listed under Core Contract

  8. Adapter Attributes tab: check Pseudonym checkbox for username> hit Next until able to Save.

  9. OAuth Server > Authorization Server Settings

    • select 'UserPass' for OAuth Administrative Web Services Settings / Password Credential Validator

    • check "Implict", "Authorization code", "Resource Owner Password Credentials" and "Allow unidentified clients to make Resource Owner Password credentials grants" boxes

  10. OAuth Server > Access Token Management > Create new (fill fields similar to below)

    • Instance Name: JSON Web Tokens

    • Instance ID: jwt

    • Class Name: com.pingidentity.pf.access.token.management.plugins.
      JwtBearerAccessTokenManagementPlugin

    • Type: JSON Web Tokens

    • Parent Instance Name: None

    • Instance Configuration 

    • Certificates: k1, CN=Config Signing Cert, OU=Dev, O=Ping, L=Denver, ST=CO, C=US (This is the signing certificate created in #4)

    • Token Lifetime: 120

    • JWS Algorithm: RSA using SHA-256

    • Active Symmetric Key ID: None Selected

    • Active Signing Certificate Key ID: k1

    • JWE Algorithm: None Selected

    • JWE Content Encryption Algorithm: None Selected

    • Active Symmetric Encryption Key ID: None Selected

    • Asymmetric Encryption Key

    • Asymmetric Encryption JWKS URL: http://<serverName>:<port>/pf/jkws

    • Include Key ID Header Parameter: TRUE

    • Include X.509 Thumbprint Header Parameter: TRUE

    • Default JWKS URL Cache Duration: 720

    • Include JWE Key ID Header Parameter: TRUE

    • Include JWE X.509 Thumbprint Header Parameter: TRUE

    • Client ID Claim Name: client_id_name

    • Scope Claim Name: scope

    • Space Delimit Scope Values: FALSE

    • Issuer Claim Value: http://<serverName>:<port>

    • Audience Claim Value: OneStreamClient

    • JWT ID Claim Length: 0

    • Access Grant GUID Claim Name: agid

    • JWKS Endpoint Path: /oauth/jwks

    • JWKS Endpoint Cache Duration: 720

    • Publish Key ID X.509 URL: TRUE

    • Publish Thumbprint X.509 URL: TRUE

    • Session Validation:

    • Check Session Validation Status: FALSE

    • Check Session Revocation Status: FALSE

    • Update Authentication Session Activity: FALSE

    • Access Token Attribute Contract:

    • Attribute: OrgName

    • Attribute: sub

    • Attribute: Username

    • Resource URIs :

    • Access Control :

    • Restrict Allowed Clients : FALSE

  11. OAuth Server > OpenID Connect Policy Management > Create New (see example policy below)

  12. OAuth Server > Resource Owner Credentials Mapping > Map 'UserPass' to Persistent Grant Contract

  13. OAuth Server > Access Token Attribute Mapping > Map Default (Context) to JSON Web Tokens (Token Manager)

    • OrgName: example mapping: Source=Text, Value=Ping Federate Corporation

    • Username: Source : Persistent Grant, Value:USER_KEY

    • sub: Source : Persistent Grant, Value:USER_KEY (needed to retrieve user claims)

  14. OAuth Server > IdP Adapter Mappings: Map HTMLFormSimplePCV To Persistent Grant Contract

  15. Add OneStreamWeb client:

    • OAuth Server > Clients > Create New:

    • Client ID = OneStreamWeb

    • Client Name = OneStreamWeb

    • Description = Authorization Code flow for OneStreamWeb application (example)

    • Client Authentication = Client Secret > Generate Secret (store this value)

    • Redirect URIs: Add: http://<serverName>:<port>/OneStream/OneStreamXF.aspx, and  http://<serverName>:<port>/OneStream/OneStreamWindowsApp.aspx

    • Bypass Authorization Approval = Check (this will be a trusted app; there is no need for an extra Authorization Approval form)

    • Allowed Grant Types: Authorization Code; Implicit

    • Open Id Connect: ID Token Signing Algorithm = Default

    • Save

  16.  Add OneStreamMvc client:

    • OAuth Server > Clients > Create New:

    • Client ID = OneStreamMvc 

    • Client Name = OneStreamMvc 

    • Description = Authorization Code flow for OneStreamMvc application (example)

    • Client Authentication = Client Secret > Generate Secret (store this value)

    • Redirect URIs: Add: 'http://<serverName>:<port>/Authentication/Logon'

    • Bypass Authorization Approval = Check (this will be a trusted app; there is no need for an extra Authorization Approval form)

    • Allowed Grant Types: Authorization Code; Implicit

    • Open Id Connect: ID Token Signing Algorithm = Default

    • Save

  17. Add OneStreamClient client

    • OAuth Server > Clients > Create New:

    • Client ID = OneStreamClient 

    • Client Name = OneStreamClient 

    • Description = PingFederate placeholder for OneStream native apps authentication

    • Client Authentication: None

    • Redirect URI: Add: https://[SeverName]:[SSLPortNumber]/OneStreamWeb/OnestreamLogonCallback.aspx/

    • Bypass Authorization Approval = Check (this will be a trusted app; there is no need for an extra Authorization Approval form)

    • Allowed Grant Types: Authorization Code; Resource Owner Password Credentials, Refresh Token

    • Open Id Connect: ID Token Signing Algorithm = Default

    • Save