PingFederate

Prerequisites

  1. Network Connectivity
    • Ensure network reachability from the Cloud Connector (CC) to the PingFederate endpoints.
    • Verify that all required communication ports are open and accessible.
  2. Base URL Configuration
    • Specify the base URL used to communicate with the PingFederate Admin API.
      • Default value: /pf-admin-api/v1/
  3. User Account Requirements
    • If a new user account is created, the user must log in to PingFederate at least once and update the password before proceeding.
    • The user account must be assigned both Admin and Crypto Admin roles.
    • Navigate to SYSTEM → Administrative Accounts to verify role assignments.
  4. Connectivity and Access Validation
    • To troubleshoot onboarding issues, use the following curl command to validate connectivity and confirm access by retrieving the PingFederate version:
      curl -k -u USERNAME:PASSWORD \
  -H "Accept: application/json" \
  -H "X-XSRF-Header: PingFederate" \
  https://{HOSTNAME}:9999/pf-admin-api/v1/version

Onboarding PingFederate

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select Ping Identity logo from the Vendors list.
  5. In the Server Details section, enter details as mentioned below.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server Type Select Server type has default value PingFederate.
    *Server name Enter the name of the designated PingFederate server.
    *IP address/ FQDN Enter the valid IP address or fully qualified domain name (FQDN) of the device being onboarded. It is used for device communication and integration with the server.
    *HTTPS Port Enter the valid HTTPs port number that is required to remotely access iDRAC through firewall.
    Data center Select the datacenter from where communication needs to be routed to the PingFederate instance.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Proxy Required Select the checkbox if proxy is required.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as follows.
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - Appviewx
    Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    *Username Enter the designated username for authentication with the PingFederate server.
    *Password Enter the secure password.
    *: Mandatory fields
  7. In the Vendor Specific Details section, enter details as mentioned below.
    Table 3. Vendor Specific Details - Field Description Table
    Fields Description
    *Base URL Enter the base URL to communicate with PingFederate API. For example, /pf-admin-api/v1/.
    *: Mandatory fields
  8. Click Save.
    The PingFederate device is onboarded successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
    The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

Common Symptoms and Root Causes

Symptom Likely Root Cause
Device communication failed. The credentials provided were not recognized or user does not have an Admin and Crypto Admin API access.
Device communication failed. Caused by: Unable to invoke rest service. Invalid IP address/FQDN or invalid Base URL.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: