PingFederate Configuration

To configure OneStream REST API to support PingFederate authentication, follow these steps:

  1. Configure the REST API Application Registration in PingFederate.

  2. Set Up the Web Server Configuration in OneStream.

  3. Configure the User in OneStream.

To enable single sign-on with PingFederate for the OneStream Desktop application, which includes the Windows Client application and the Excel Add-In, using OIDC protocol, see the Installation and Configuration Guide.

Configure the REST API Application Registration in PingFederate

To configure the REST API application registration, you need to enter the same client ID in PingFederate and the Web Server Configuration in OneStream. You also need to copy the client secret from PingFederate, which is used to request a token.

  1. Log in to your PingFederate account.

  2. In the menu on the left, click OAuth Server.

  3. Under the CLIENTS list, click the Create New button.

  4. On the Client page, complete the following fields:

    • CLIENT ID: Enter a client ID, which is a unique name or identifier for the application registration.

    • NAME: Enter the name of the client.

    • CLIENT AUTHENTICATION: Select CLIENT SECRET.

    • CLIENT SECRET: Select CHANGE SECRET and then click the Generate Secret button.

    • ALLOWED GRANT TYPES: Select Client Credentials.

  5. Click the Save button.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. Click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. In the User Name Lookup field, type client_id to include this claim in the ordered lookups.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. In this example, in the OIDC Compliant Provider Settings section, User Name Lookup is highlighted to show that client_id has been added.

  5. Click the ellipsis to the right of PingFederate Identity Provider.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. In this example, in the Identity Provider Specific Settings section, Pingfederate Identity Provider is highlighted.

  6. In the PingFederate Identity Provider dialog box, in the REST API Settings section, complete the following fields :

    • OneStream Web Api Client ID: Enter the client ID you entered in PingFederate. See Configure the REST API Application Registration in PingFederate step 4.

    • OneStream Web Api Scopes: Enter custom scopes.

    • OneStream Web Api JWKS Path: Enter the path on the PingFederate server to publish a JSON Web Key Set with the keys and certificates used for signature verification.

    The Pingfederate Identity Provider dialog box has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. In this example, in the REST API Settings section, OneStream Web Api Client ID, OneStream Web Api Scopes, and OneStream Web Api JWKS Path are highlighted.

  7. Click the OK button.

  8. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Configure the User in OneStream

  1. In the OneStream Desktop application, go to System > Security > Users > <user>.

  2. In the Authentication properties, complete the following fields for REST API authentication through PingFederate.

  3. Click the Save icon.

Configure the AUD Value

In some installations, the Audience value is not used in the authentication process. Normal processing will cause authentication to fail if this value is not used. The Validate Audience option allows for disabling audience validation for these installations.

By default, this setting is True, which means the audience will be validated.

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > Open Web Server Configuration File.

  3. Find the Web Server Configuration file and click the Open button.

  4. Click the ellipsis to the right of Single Sign On Identity Provider.

  5. In Validate Audience, select False to disable Audience validation.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. In this example, in the OIDC Compliant Provider Settings section, Validate Audience is highlighted to show that it is set to False.