To create a new 6Clicks application (type: SPA OpenID Connect) in Ping Identity, you will need administrative permissions. Login to your Ping Identity Admin Console and choose your environment. The steps are:
-
Create groups matched to 6clicks roles.
-
Create the application.
-
Assign the groups to the application.
-
Filter the correct 6clicks groups to appear in your ID token.
-
Ping: Create Groups
From the menu, choose Identities → Groups and press the '+' button to add a new group.
The SSO process is used to allocate 6clicks roles to each user. This requires each user to be in a group that matches at least one valid 6clicks role, displayed in the 6clicks SSO dashboard.
Each 6clicks role needs to be added to a group with the prefix ‘6clicks-role-:
-
6clicks-role-Administrator
-
6clicks-role-Users
-
6clicks-role-CustomRole1
After you choose ‘Save’, the option to add users and groups to this new group will appear. You will need to add users to each group based on your particular requirements.
Ping: Create Application
From Connections → Applications → click the '+' to add an application. Add in:
-
Application Name: free format but we recommend ‘6clicks - Tenant Name’ to be descriptive.
-
Description: optional.
-
Icon: You can download the 6clicks logo from here: <link>
-
Application type: Single page.
Application Protocol Setup
Once you have saved the application creation, you will see a screen with all the application settings. Choose Protocol.
Configure the settings:
-
Response type: Code
-
Authorization Code (checked) with PCKE Enforcement: S256_REQUIRED
-
Redirect URIs: <retrieved from 6clicks SSO dashboard>.
-
Initiate Login URIs: <retrieved from 6clicks SSO dashboard>.
-
Signoff URIs: <retrieved from 6clicks SSO dashboard>.
Save.
Issuer URI
As soon as you hit save in the protocol setup, Ping displays the configuration tab, which has the Issuer URI which you will need this to finish the 6clicks setup, so please note it down somewhere.
Resources Setup
Next head to the ‘Resources’ tab and hit the ‘pencil’ icon to edit.
Add in the scopes:
-
Profile
-
Email
Save
Policies
The ‘Policies’ tab is where you setup policies such as MFA authentication. We highly recommend you setup policies and that they align with your business requirements.
Attribute Mappings
Next, we need to map the groups to an attribute so whey will appear in the ID token. From the ‘Attributes’ tab, click the ‘pencil’ icon to edit.
Click the ‘add’ button and also the ‘advanced configuration’ button (not shown in screenshots).
-
Application Attribute: roles (must be called ‘roles’)
-
PingOne Mapping: Group Names (see below for the gears icon settings for the group name)
-
Scope: profile
-
ID Token: <checked>
Group Name Expression
Clicking the ‘gears’ icon next to the PingOne Mapping opens up the Ping Expression language builder. We can use this to filter for our group names.
-
Expression: user.memberOfGroupNames.?[#string.startsWith(#this, "6clicks-role-")]
Save
Access
From the ‘Access’ tab click the ‘pencil’ icon to edit.
-
Application Portal Display: <checked>
-
User is a member of any applied group: <checked>
-
Groups: add in all of your 6clicks groups.
Save.
Activate The Application & Get the Client ID
Finish 6clicks Setup
You should now have an Ping Client (application) ID and an Issuer URI. Armed with this information head back to 6clicks to finish the 6clicks SSO setup.