How to Configure SSO for PingFederate in the Enterprise Web Console

This guide walks through configuring PingFederate as an OpenID Connect (OIDC) identity provider for the Backblaze enterprise web console using the Authorization Code flow with PKCE (S256).

Enable OAuth in PingFederate

1. In PingFederate, click System in the top navigation.

2. Click OAuth Settings.

3. Verify that Enable OAuth Authorization Server is selected.

4. Click Save.

Create an OAuth client

1. In the top navigation, click Applications > OAuth > Clients.

2. Click Add Client.

3. Configure general client settings.    

   1. In the Client ID field, enter a unique identifier (for example, backblaze-ewc).

   2. In the Name field, enter a unique name (for example, Backblaze EWC).

   3. (Optional) Enter a description.

   4. Leave other fields as default.

4. Configure client authentication.    

   1. Set Client Authentication to None.

5. Configure Allowed Grant Types.    

   1. Scroll to Allowed Grant Types and select Authorization Code.

   2. Clear all other grant types if selected.

6. Configure Redirect URIs.    

   1. Scroll to Redirect URIs, and click Add.

   2. Enter https://secure.backblaze.com/api/bz_oauth_sso_callback.

   3. Click Add.

   4. Confirm the URI appears exactly as entered.

7. Configure Post-Logout Redirect URIs.    

   1. Scroll to Post-Logout Redirect URIs, and click Add.

   2. Enter https://secure.backblaze.com/user_signin.htm.

   3. Click Add.

8. Configure PKCE.    

   1. Scroll to Require Proof Key for Code Exchange (PKCE).

   2. Select Require Proof Key for Code Exchange (PKCE).

   This enables PKCE for the client.

   (Optional) To enforce the use of the S256 method only, configure the authorization server to disallow the plain PKCE code challenge method.

9. Configure Allowed Scopes.    

   1. Scroll to Allowed Scopes and select:        

      • openid

      • profile

      • email

10. Configure Access Token Manager.    

    1. Scroll to Default Access Token Manager, and select Default OAuth Token Manager.

    This setting is required. If no access token manager is selected, authentication will fail.

11. Configure ID token attributes.    

    1. Scroll to ID Token Attribute Contract.

    2. Click Add, enter sub, then click Add.

    3. Click Add, enter email, then click Add.

    4. (Optional) Click Add, enter name, then click Add.

    5. Click Attribute Mapping.

    6. Map attributes:        

       • sub → unique user identifier

       • email → user email (for example, mail)

       • name → display name

    7. Click Save.

12. Click Save.

13. Confirm the client appears in the list and is enabled.

Retrieve the OIDC issuer URL

1. Open a browser.

2. Navigate to https://<your-pingfederate-domain>/.well-known/openid-configuration.

3. Locate the issuer value.

4. Copy the issuer URL exactly.

Configure SSO in the enterprise web console

1. Sign in to the enterprise web console.

2. In the left navigation menu under Access Control, click Users.

3. Select the Identity Provider tab.

4. Click Setup SSO.

5. Enter the following values from the above steps:

   • OIDC Issuer

   • Client ID

   • Leave Client Secret blank.

6. Turn on the Enable PKCE toggle.

7. Click Save.