PingFederate

Prerequisites

  1. Network Connectivity
    • Ensure network reachability from the Cloud Connector (CC) to the PingFederate endpoints.
    • Verify that all required communication ports are open and accessible.
  2. Base URL Configuration
    • Specify the base URL used to communicate with the PingFederate Admin API.
      • Default value: /pf-admin-api/v1/
  3. User Account Requirements
    • If a new user account is created, the user must log in to PingFederate at least once and update the password before proceeding.
    • The user account must be assigned both Admin and Crypto Admin roles.
    • Navigate to SYSTEM → Administrative Accounts to verify role assignments.
  4. Connectivity and Access Validation
    • To troubleshoot onboarding issues, use the following curl command to validate connectivity and confirm access by retrieving the PingFederate version:
      curl -k -u USERNAME:PASSWORD \
  -H "Accept: application/json" \
  -H "X-XSRF-Header: PingFederate" \
  https://{HOSTNAME}:9999/pf-admin-api/v1/version

Onboarding PingFederate

  1. Go to (Menu) > CLM > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select Ping Identity logo from the Vendors list.
  5. In the Server Details section, enter details as mentioned below.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server Type Select Server type has default value PingFederate.
    *Server name Enter the name of the designated PingFederate server.
    *IP address/ FQDN Enter the IP address, Short name or the fully qualified domain name (FQDN) of the server that is to be onboarded.
    Example:
    • IP Address: 127.0.0.1
    • Short name: server01
    • FQDN: server01.example.com
    Note: The Short name must be resolvable to its corresponding FQDN.
    *HTTPS Port Enter the valid HTTPs port number that is required to remotely access iDRAC through firewall.
    Data center Select the datacenter from where communication needs to be routed to the PingFederate instance.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Proxy Required Select the checkbox if proxy is required.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as follows.
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - xyz (All the configured external vaults.)
    *Username This filed is displayed only if the Credential Type = Manual.

    Enter the designated username for authentication.

    *Password This filed is displayed only if the Credential Type = Manual.

    Enter the secure password.
    *Credentials list When Credential list - xyz is selected as the credential type, the Credentials List dropdown appears. Select the desired preconfigured credential list from the available options.
    *: Mandatory fields
  7. In the Vendor Specific Details section, enter details as mentioned below.
    Table 3. Vendor Specific Details - Field Description Table
    Fields Description
    *Base URL Enter the base URL to communicate with PingFederate API. For example, /pf-admin-api/v1/.
    *: Mandatory fields
  8. Click Save.
    The PingFederate device is onboarded successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
    The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

Common Symptoms and Root Causes

Symptom Likely Root Cause
Device communication failed. The credentials provided were not recognized or user does not have an Admin and Crypto Admin API access.
Device communication failed. Caused by: Unable to invoke rest service. Invalid IP address/FQDN or invalid Base URL.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: