Configuring PingID Oauth2
You must create an PingID Application
for your thingshub tennat
in order to use PingID OAuth2 with thingshub. You will need the client_id
, client_secret
, auth_url
, token_url
and user_info_url
that are available in the PingID Application.
Configure Oauth and register Thingshub in Google Workspace
Open https://www.pingidentity.com/en.html and sign-on with your admin account.
Go to
Applications
Menu in the left panel and click onApplications
.Click on the
Plus(+)
icon at the top.In the side dialog fill in Thingshub SSO in the
Application Name
field.Select
OIDC Web App
in theApplication Type
option and click on SAVE.The side-dialog will now show the Application Detail page.
Go to
Configuration
tab in the Application Detail side-dialog and click on the edit(pencil) icon.Scroll and find the
Redirect URIs
section in the edit configuration side-dialog and type the domain address of your thingshub tenant followed by the path/ping-id-oauth2/callback
. This is the address that Google will redirect to after the authentication is complete, be it successful or failure.
(Eg: https://foo-bar.thingshub.smartmakers.de/ping-id-oauth2/callback)Click on SAVE. The
Configuration
tab will open up in the application details side dialog.You will find the
client_id
and theclient_secret
values under theGeneral
section in the Configuration. You can copy these values to be used in the PingID config block in the tenat configuration file.You will also see
URLs
section; click on it to expand. You will see variousURLs
for your Application.The Authorization URL corresponds to the
auth_url
, the Token Endpoint will betoken_url
and the UserInfo Endpoint translates touser_info_url
. You can copy all these values to be used in the PingID config block in the tenat configuration file.Go to the
Resources
tab of Application Detail Side Dialog and click on the edit(pencil) icon.openid should be pre-selected. Find and select email by clicking in the check-box. Click on SAVE.
Enable the PingID Thingshub SSO Application by sliding the bar on the top-right of the side dialog.
Enable and configure PingID OAuth2 in Thingshub
global:
domain: foo.bar.com
tenant_mode: trackinghub
...
identity_providers:
ping_id_oauth2:
enabled: true
params:
client_id: <Client ID from above>
client_secret: <Client Secret from above>
auth_url: <Authorization URL from above>
token_url: <Token Endpoint from above>
user_info_url: <UserInfo Endpoint from above>
scopes:
- openid
- email
button:
logo: "data:image/png;base64,iVBORw0KG........"
text: "Sign-in with PingID"
btn_color: "#B12B28"
text_color: "#402306"
...
ping_id_oauth2 configurations:
enabled
: The enabled flag is used to toggleping_id_oauth2
on or off.params
: This block provides the configurations for thingshub to setping_id_oauth2
client_id
: This is the ID of the thingshub application created in the PingID Admin Console, which is available in the detail of the PingID Application.client_secret
: This is the secret the PingID provides for the thingshub application during PingID application creation.auth_url
: This is the endpoint that thingshub uses to interact with PingID to get the authorization to access the user data.token_url
: This is the endpoint that thingshub uses to getaccess tokens
by exchanging the authorization code it gets from theauth_url
.user_info_url
: This is the endpoint that thingshub uses to get the selected user data to be used for Thinshub users.scopes
: The scopes parameter is a list of OAuth 2.0 scopes(resources to access) allowing user to configure multiple scopes at a time. You can put in the values you selected in theResources
tab in the detail of the PingID Application.
A scope determines the resource that Thingshub wants to access from PingID through OAuth 2.0. The PingID then sees if the Application is configured to have access for the said resource or not . Thingshub expects the following scopes to be available:"email"
button
: The button block holds the theme for the button forPingID OAuth2
displayed on the thingshub login page.logo
: It is the base64 encoded string of the image to be displayed in the login button forPingID OAuth2
. The base64 encoding should be inData URI
format.text
: Text is the message to be displayed in the login button forPingID OAuth2
.btn_color
: It sets the color of the login button forPingID OAuth2
.text_color
: It sets the color of the message in thetext
field that is to be shown in the login button forPingID OAuth2
.