Examples of specific OAuth providers
Blue Cedar Connect Gateway can handle tokens from any OAuth provider. This page offers notes for specific cases:
Using OAuth tokens for apps integrated with Intune
If you are using the Connect Gateway with apps integrated with the Blue Cedar Accelerator for Microsoft, you must use a custom authentication policy to use the Intune login (OAuth token) on the device to also authenticate with the Connect Gateway. Configure custom authentication policies on the Blue Cedar Platform. See Using the Blue Cedar Accelerator for Microsoft for details.
Using a PingFederate server
The Blue Cedar Connect Gateway allows you to use a PingFederate server as an authentication provider for authenticating users. The gateway can authenticate against this server that can perform validation of a Ping token. To enable this feature, configure a Ping authentication provider with the server’s URL from the OpenID configuration and the username claim associated with the user's unique username.
To use the Ping authentication feature on the gateway if the URL is HTTPS, complete these two steps before you configure the gateway:
- Make sure the remote server has installed a certificate that is trusted by the gateway. The certificate for the remote server is issued by a trusted certificate authority (CA).
- Configure the gateway for the trusted-certificate-authority that issued the certificate for the remote server. This configuration step registers the CA as trusted by the gateway. For details, see “Configuring Trusted Certificates” in Configuring AAA Public Key Infrastructure.
For a full description of available configuration attributes, see the PingFederate/OpenID documentation.
How Ping authentication works for the mobile user
Setup with multi-factor authentication
If your Ping installation requires multi-factor authentication, the mobile user installs:
- The PingID app from the app store
- The integrated app, which has been integrated with a connectivity policy that uses the gateway
Users enroll the PingID app, and enroll the integrated app. Once enrolled, when launching the integrated app, the app sends a Ping token to the gateway, and Ping authentication happens with the PingFederate server and the PingID app transparently. If users launch the integrated app without already enabled PingID, they are prompted to complete that enrollment.
Setup without multi-factor authentication
If your Ping installation does not require multi-factor authentication, the mobile user installs:
- The app that has been integrated with a connectivity policy that uses the gateway
When users first launch the app, they enroll with their credentials. Once users have enrolled, the app sends a Ping token to the gateway, which uses the Ping token to authenticate the user with the PingFederate server.
Write a comment…