Fortanix Key Insight - Azure Configuration For PingOne as Open ID Connect Identity Provider

  • Updated on Mar 12, 2025
  • Published on Jul 23, 2024
  • 5 minute(s) read

1.0 Introduction

The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight on Azure and PingOne as an Open ID Connect (OIDC) identity provider (IdP).

Federated authentication in Azure refers to the process of enabling users to access Azure resources using their existing credentials from an external identity provider (IdP), such as PingOne, Microsoft Entra ID, and so on.

Configuring PingOne as an Open ID Connect IdP in Azure involves the following steps:

  1. Register a client application with PingOne.

  2. Configure the redirect Uniform Resource Locator (URL) on the client application.

  3. Gather the Client ID, a unique identifier for your registered application.

  4. Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.

  5. Provide permissions to your Azure application to scan Fortanix Key Insight Azure resources.

  6. Configure federated credentials in your Azure application to scan resources.

2.0 Register a Client Application with PingOne

Perform the following steps to register a client application with PingOne:

  1. Set up a single page application in PingOne.

    1. Navigate to the Applications section in the PingOne console and click the '+' icon next to the Applications title.

    2. Enter the Application Name, Description, and Icon fields as required.

    3. Select Single-Page as the Application Type.

    4. Save the application.

    Figure 1: Add a PingOne Application

    For more details, refer to Adding an Application.

  2. Edit the Configuration section of the application created in the previous step to include the following:

    1. Response Type: Code, Token, ID Token

    2. Grant Type: Authorization Code, Implicit, Refresh Token

    3. Redirect URIs: 

      https://armor.fortanix.com/system/discovery/oauth/callback

    4. Token Endpoint Authentication Method: None

    Figure 2: Application Configuration

    For more details, refer to Editing an application - OIDC.

  3. Enable the application created in Step 1 to save all configurations.

    Figure 3: Enable the PingOne Application

  4. Perform the following steps to register at least one user in your directory:

    1. Navigate to the Users section in the PingOne console and click the '+' icon next to the Users title.

    2. Enter all the required fields.

    3. Save the user.

    Figure 4: Create a User

3.0 Configure the Redirect URL on the Client Application

The redirect URL is the address to which PingOne forwards the OIDC response after authentication.

You can retrieve the redirect URL after registering your application with PingOne, as explained in Step 2 of Section 2.0: Register a Client Application with PingOne.

4.0 Gather the Client ID

A Client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.

To retrieve the Client ID, copy the Client ID from the Configuration section of the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne.

NOTE

Ensure to record the Client ID value as it is necessary for the identity provider configuration when setting up the Azure cloud connection in the Fortanix Key Insight user interface (UI).

5.0 Gather the OpenID Configuration Document (Well-Known) URL

An OIDC provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.

This URL is specific to your IdP tenant or account.

To retrieve this value, copy the OIDC Discovery Endpoint from the Configuration → URLs section of the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne.

NOTE

Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the Azure cloud connection in the Fortanix Key Insight user interface (UI).

6.0 Provide Permissions to your Azure Application to Scan Resources

Applications are authorized to call APIs when they are granted permissions by users or administrators (admins) as part of the consent process.

Ensure you have added the following permissions to your Azure application to scan Azure resources on Fortanix Key Insight:

Figure 5: Configure Permissions

NOTE

The user_impersonation permissions may require user or admin consent based on the tenant's application consent policies. If admin consent is necessary, obtain admin consent for these permissions following your organization's security or IT policy before configuring federated authentication in Fortanix Key Insight.

For more details, refer to Overview of permissions and consent in the Microsoft identity platform.

7.0 Configure Federated Credentials in your Azure Application

You can configure federated credentials in your Azure application to scan Azure resources on Fortanix Key Insight.

In Azure, federated credentials refer to the capability of Microsoft Entra ID to enable users to access applications using their existing credentials from other trusted identity providers (IdPs) such as PingOne. This is achieved through federated authentication, which allows users to authenticate using their organization's identity system rather than their Azure app credentials.

To configure the federated credentials,

  1. Select your app in Azure App registrations. If you have not created one, refer to Quickstart: Register an Application with the Microsoft Identity Platform to create your Azure app.

  2. Navigate to Manage → Certificates & secrets.

  3. On the Certificates & secrets page, select Federated credentials and click Add credential to add a new federated credential.

    Figure 6: Access Federated Credentials

  4. On the Add a credential page, configure the details as shown below, and click Add to add the new federated credentials.

    Figure 7: Configure Federated Credentials

    • Federated credential scenario: The value must be Other issuer to configure an identity managed by an external OpenID Connect provider to get tokens as this application and access Azure resources.

    • Issuer URL: To retrieve this, copy the Issuer value from the Configuration → URLs section in the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne. The value is https://auth.pingone.com/<ENVIRONMENT_ID>/as.

    • Name: The name given for the credential.

    • (Optional) Description: The description of the credential, if any.

    • Subject identifier and Audience: These values help establish a connection between PingOne and your Azure app.

    NOTE

    You can retrieve the Subject identifier and Audience values from your PingOne app’s ID Token. For more details on how to obtain the ID Token, refer to Getting an Access Token.

    After you retrieve the ID Token, decode it using https://jwt.io and copy the following values to use them as your Subject identifier and Audience.

    Figure 8: Obtain Subject Identifier and Audience Values