{"id":11977,"date":"2026-01-30T14:09:48","date_gmt":"2026-01-30T19:09:48","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=11977"},"modified":"2026-02-06T19:34:14","modified_gmt":"2026-02-07T00:34:14","slug":"apache-oidc-authentication-to-pingfederate-or-pingid-using-oidc","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=11977","title":{"rendered":"Apache OIDC Authentication to PingFederate (or PingID) Using OIDC"},"content":{"rendered":"

This is kind of a silly update to my attempt to document using mod_auth_openidc in Apache<\/a>. At the time, I didn’t know who set up the PingFederate side of the connection, so I just used Google as the authentication provider. Five years later, I\u00a0am<\/em> one of the people setting up the connections and can finally finish the other side. So here is an update — now using PingFederate as the OIDC\/OAUTH provider.<\/p>\n

OAUTH Client Setup \u2013 Apache<\/h2>\n

First, make sure mod_auth_openidc is installed<\/p>\n

<\/p>\n

In your Apache config, you can add authentication to the entire site or just specific paths under the site. In this example, we are creating an authenticated sub-directory at \/authtest<\/p>\n

In the virtual host, I am adding an alias for the protected path as \/authtest, configuring the directory, and configuring the location to require valid-user using openid-connect. I am then configuring the OIDC connection.<\/p>\n

The OIDCClientID and OIDCClientSecret will be provided to you after the connection is set up in PingID. Just put placeholders in until the real values are known.<\/p>\n

The OIDCRedirectURI needed to be a path under<\/em> the protected directory for me \u2013 the Apache module handles the callback. Provide this path on the OIDC connection request.<\/p>\n

The OIDCCryptoPassphrase just needs to be a long pseudo-random string. It can include special characters.<\/p>\n

# Serve \/authtest from local filesystem\r\nAlias \/authtest \"\/var\/www\/vhtml\/sandbox\/authtest\/\"\r\n\r\n<Directory \"\/var\/www\/vhtml\/sandbox\/authtest\">\r\nOptions -Indexes +FollowSymLinks\r\nAllowOverride None\r\nRequire all granted\r\n<\/Directory>\r\n\r\n# mod_auth_openidc configuration for Ping (PingFederate\/PingID)\r\n# The firewall will need to be configured to allow web server to communicate with this host\r\nOIDCProviderMetadataURL https:\/\/login-dev.windstream.com\/.well-known\/openid-configuration<\/a>\r\n\r\n# The ID and secret will be provided to you\r\nOIDCClientID d5d53555-7525-4555-a565-b525c59545d5\r\nOIDCClientSecret p78\u2026Q2kxB\r\n\r\n# Redirect\/callback URI \u2013 provide this in the request form for the callback URL\r\nOIDCRedirectURI https:\/\/www.rushworth.us\/authtest\/callback\r\n\r\n# Session\/cookie settings \u2013 you make up the OIDCCryptoPassphrase\r\nOIDCCryptoPassphrase \"\u2026T9y\"\r\nOIDCCookiePath \/authtest\r\nOIDCSessionInactivityTimeout 3600\r\nOIDCSessionMaxDuration 28800\r\n\r\n# Scopes and client auth\r\nOIDCScope \"openid profile email\"\r\nOIDCRemoteUserClaim preferred_username\r\nOIDCProviderTokenEndpointAuth client_secret_basic\r\n\r\n# If Ping's TLS cert at https:\/\/localhost:9031 isn't trusted by the OS CA store,\r\n# install the proper CA chain, or temporarily disable validation (not recommended long-term):\r\n# OIDCSSLValidateServer Off\r\n\r\n# Protect the URL path with OIDC\r\n<Location \/authtest>\r\nAuthType openid-connect\r\nRequire valid-user\r\nOIDCUnAuthAction auth\r\n<\/Location><\/pre>\n
Sample web code for the \u201cprotected\u201d page if you want to use the user\u2019s ID. The user\u2019s email is found at $_server[\u2018OIDC_CLAIM_email\u2019]<\/p>\n
[lisa@fedora conf.d]# cat \/var\/www\/vhtml\/sandbox\/authtest\/index.php\r\n<?php\r\n     if( isset($_SERVER['OIDC_CLAIM_iss']) && $_SERVER['OIDC_CLAIM_iss'] == \"https:\/\/login-dev.windstream.com\"){\r\n          echo \"I trust you are \" . $_SERVER['OIDC_CLAIM_username'] . \"\\n\";\r\n     }\r\n\r\nelse{\r\n     print \"Not authenticated ... \\n\";\r\n     print \"<UL>\\n\";\r\n     foreach($_SERVER as $key_name => $key_value) {\r\n          print \"<LI>\" . $key_name . \" = \" . $key_value . \"\\n\";\r\n     }\r\n     \r\n     print \"<\/UL>\\n\";\r\n}\r\n?><\/pre>\n
Results on the web page \u2013 user will be directed to PingID to authenticate, and you will verify that login-dev.windstream.com (or login.windstream.com in production) has authenticated them as the OIDC_CLAIM_username value:<\/p>\n
<\/p>\n
OAUTH Client Setup \u2013 PingID<\/h2>\n
Client auth, add redirect URLs<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
This is kind of a silly update to my attempt to document using mod_auth_openidc in Apache. At the time, I didn’t know who set up the PingFederate side of the connection, so I just used Google as the authentication provider. Five years later, I\u00a0am one of the people setting up the connections and can finally …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[31,1122,2167,326],"class_list":["post-11977","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-apache","tag-apache-httpd","tag-oidc","tag-sso"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11977"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11977\/revisions"}],"predecessor-version":[{"id":12011,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11977\/revisions\/12011"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}