### Execute One-Shot Script with PingToolkit Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This command executes a specific startup script from a server profile using PingToolkit and then exits. It's useful for one-time setup tasks. ```bash # Execute a one-shot script from the profile and exit docker run \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/pingtoolkit \ --env STARTUP_COMMAND=/opt/out/instance/bin/hello.sh \ pingidentity/pingtoolkit:edge ``` -------------------------------- ### Execute Command in Ping Toolkit Container Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/getting-started/pingtoolkit/README.md Starts a Ping Toolkit container and executes a specified command (e.g., 'ls -l /opt') upon startup. The container will exit after the command completes. ```bash docker run \ --env STARTUP_COMMAND=ls \ --env STARTUP_FOREGROUND_OPTS="-l /opt" \ pingidentity/pingtoolkit:edge ``` -------------------------------- ### Run Default Ping Toolkit Container Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/getting-started/pingtoolkit/README.md Starts a Ping Toolkit container in detached mode and lists running containers. The container will be in a holding state. ```bash docker run -d --name pingtoolkit pingidentity/pingtoolkit:edge docker container ls ``` -------------------------------- ### PingDirectory LDIF for Structure Initialization Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt LDIF file to define the directory structure for the userRoot backend. This file is loaded during initial container setup. ```ldif # baseline/pingdirectory/pd.profile/ldif/userRoot/00-structure.ldif ``` -------------------------------- ### Run PingToolkit with Server Profile Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This command runs PingToolkit with a specified server profile URL and path. The profile can provide scripts to be executed before main pods start in a Kubernetes environment. ```bash # Run with a server profile that provides scripts docker run -d --name pingtoolkit \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/pingtoolkit \ pingidentity/pingtoolkit:edge ``` -------------------------------- ### PingDirectory and PingDirectoryProxy Entry Balancing Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This configuration demonstrates an entry-balancing setup using PingDirectoryProxy to front multiple PingDirectory backends. It requires PingDirectory image version 2210 or later and specifies server profiles for both PingDirectory and PingDirectoryProxy. ```yaml services: pingdirectory: image: pingidentity/pingdirectory:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=entry-balancing/pingdirectory pingdirectoryproxy: image: pingidentity/pingdirectoryproxy:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=entry-balancing/pingdirectoryproxy ``` -------------------------------- ### Pre-Setup Hook Script for Dynamic Variables Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This hook script modifies the CONTAINER_ENV file before product setup. It derives BASE_VALUE, BASE_ATTRIBUTE, and BASE_CLASS from USER_BASE_DN. ```bash # Derive BASE_VALUE, BASE_ATTRIBUTE, and BASE_CLASS from USER_BASE_DN at runtime #!/usr/bin/env sh computedDomain=$(echo "${USER_BASE_DN}" | sed 's/^dc=\([^,]*\).*/\1/') computedOrg=$(echo "${USER_BASE_DN}" | sed 's/^o=\([^,]*\).*/\1/') if ! test "${USER_BASE_DN}" = "${computedDomain}"; then cat <> "${CONTAINER_ENV}" BASE_VALUE=${computedDomain} BASE_ATTRIBUTE=dc BASE_CLASS=domain END_DOMAIN elif ! test "${USER_BASE_DN}" = "${computedOrg}"; then cat <> "${CONTAINER_ENV}" BASE_VALUE=${computedOrg} BASE_ATTRIBUTE=o BASE_CLASS=organization END_ORG else echo_red "ERROR: USER_BASE_DN must be dc= or o=" exit 183 fi ``` -------------------------------- ### PingFederate NATIVE_S3_PING Multi-Cluster Kubernetes Environment Variables Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This example shows environment variables for a multi-region Kubernetes deployment of PingFederate using NATIVE_S3_PING for cluster membership. It configures S3 bucket details for storing the cluster membership list and specifies the adaptive clustering region. ```yaml services: pingfederate: image: pingidentity/pingfederate:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pf-k8s-multi-clustering-native-s3-ping/pingfederate - SERVER_PROFILE_PARENT=BASELINE - SERVER_PROFILE_BASELINE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_BASELINE_PATH=baseline/pingfederate - S3_BUCKET_NAME=pf-cluster-list - S3_BUCKET_REGION=us-west-2 - PF_NODE_GROUP_ID=us-west-2 - OPERATIONAL_MODE=CLUSTERED_ENGINE ``` -------------------------------- ### Initialize Ping Toolkit with Server Profile Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/getting-started/pingtoolkit/README.md Runs a Ping Toolkit container, initializing it with a server profile from a Git repository. The server profile contents are placed in /opt/staging. ```bash docker run -d --name pingtoolkit \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/pingtoolkit \ pingidentity/pingtoolkit:edge docker container exec -it pingtoolkit sh # run following command in container ls /opt/staging ``` -------------------------------- ### Execute Script from Server Profile Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/getting-started/pingtoolkit/README.md Runs a Ping Toolkit container, initializes it with a server profile, and executes a script (e.g., 'hello.sh') located within the server profile's instance directory. ```bash docker run \ --env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \ --env SERVER_PROFILE_PATH=getting-started/pingtoolkit \ --env STARTUP_COMMAND=/opt/out/instance/bin/hello.sh \ pingidentity/pingtoolkit:edge ``` -------------------------------- ### Execute One-Shot Command with PingToolkit Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This command runs a simple command (e.g., 'ls') using PingToolkit and exits. The STARTUP_FOREGROUND_OPTS environment variable can be used to pass arguments to the command. ```bash # Run a one-shot command (list /opt directory) and exit docker run \ --env STARTUP_COMMAND=ls \ --env STARTUP_FOREGROUND_OPTS="-l /opt" \ pingidentity/pingtoolkit:edge ``` -------------------------------- ### Enable PingDirectory Changelog Backend Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Enable the changelog backend for PingDataSync replication. The changelog-maximum-age can be adjusted as needed. ```bash dsconfig set-backend-prop \ --backend-name changelog \ --set enabled:true \ --set "changelog-maximum-age:2 h" ``` -------------------------------- ### Docker Compose for Baseline Full-Stack Deployment Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Defines the services, environments, and networks for a full-stack PingIdentity deployment. Use this to orchestrate the startup of PingAccess, PingFederate, PingDirectory, and PingDataConsole. ```yaml version: "3.1" services: pingaccess: image: pingidentity/pingaccess:${PING_IDENTITY_DEVOPS_TAG} command: wait-for pingfederate:9031 -t 420 -- entrypoint.sh start-server environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=baseline/pingaccess env_file: - ~/.pingidentity/config # To use a local checkout instead of the remote git URL: # volumes: # - ${HOME}/pingidentity-server-profiles/baseline/pingaccess:/opt/in ports: - 1443:1443 - 9000:9000 networks: - pingnet-dmz pingfederate: image: pingidentity/pingfederate:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=baseline/pingfederate env_file: - ~/.pingidentity/config ports: - 9031:9031 - 9999:9999 networks: - pingnet-dmz - pingnet-internal pingdirectory: image: pingidentity/pingdirectory:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=baseline/pingdirectory env_file: - ~/.pingidentity/config ports: - 1636-1646:1636 - 1443-1453:1443 networks: - pingnet-internal pingdataconsole: image: pingidentity/pingdataconsole:${PING_IDENTITY_DEVOPS_TAG} ports: - 8443:8443 networks: - pingnet-internal networks: pingnet-internal: pingnet-dmz: ``` -------------------------------- ### Configure PingDirectory Consent Service Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Uses dsconfig commands to set up the Consent Service in PingDirectory. This includes creating consent definitions, localizations, an identity mapper, and an access token validator. ```bash # baseline/pingdirectory/pd.profile/dsconfig/40-consent.dsconfig dsconfig create-consent-definition \ --definition-name email \ --set 'display-name:Email Address' \ --set 'description:Share your email address' dsconfig create-consent-definition-localization \ --definition-name email \ --localization-name en-US \ --set version:1.0 \ --set 'title-text:Share your email address' \ --set 'data-text:Your email address' \ --set 'purpose-text:Join Mailing List' dsconfig create-identity-mapper \ --mapper-name user-id-identity-mapper \ --type exact-match \ --set enabled:true \ --set match-attribute:uid \ --set match-base-dn:ou=people,${USER_BASE_DN} dsconfig create-access-token-validator \ --validator-name mock-access-token-validator \ --type mock \ --set identity-mapper:user-id-identity-mapper \ --set enabled:true dsconfig set-consent-service-prop \ --set enabled:true \ --set base-dn:ou=Consents,${USER_BASE_DN} \ --set 'bind-dn:cn=consent service account' \ --set consent-record-identity-mapper:user-id-identity-mapper \ --set unprivileged-consent-scope:consent \ --set privileged-consent-scope:consent_admin ``` -------------------------------- ### Sample User Entries for PingFederate Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Provides sample user entries in LDIF format, including 'pf-connected-identities' attributes, which are used for PingFederate local identity integration. ```ldif # baseline/pingdirectory/pd.profile/ldif/userRoot/10-users.ldif # Sample user entries with pf-connected-identities for PingFederate local identity dn: uid=user.0,ou=People,${USER_BASE_DN} objectClass: inetOrgPerson objectClass: pf-connected-identities sn: Raeann cn: user.0 uid: user.0 mail: user.0@example.com userPassword: 2FederateM0re pf-connected-identity: auth-source=pf-local-identity:user-id=user.0 dn: uid=administrator,ou=People,${USER_BASE_DN} objectClass: inetOrgPerson objectClass: pf-connected-identities sn: PingFederate cn: Administrator uid: administrator userPassword: 2FederateM0re ``` -------------------------------- ### Enable JMX over Jolokia for PingDirectory Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt These commands enable JMX over Jolokia for PingDirectory, allowing JMX metrics to be accessed via HTTP. This is a prerequisite for monitoring tools like Telegraf. ```bash # monitoring/pingdirectory/jolokia/pd.profile/dsconfig/67-jolokia.dsconfig # Enable JMX over Jolokia for PingDirectory dsconfig set-global-configuration-prop --set allow-insecure-local-jmx-connections:true dsconfig create-web-application-extension \ --extension-name jolokia \ --set base-context-path:/jolokia \ --set document-root-directory:webapps/jolokia dsconfig set-connection-handler-prop \ --handler-name "HTTPS Connection Handler" \ --add web-application-extension:jolokia ``` -------------------------------- ### Configure Encrypted Daily Backup with dsconfig Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Configure the recurring LDIF export task for encrypted backups. The ldif-directory and encrypt settings are crucial. ```bash dsconfig set-recurring-task-prop \ --task-name "Export All Non-Administrative Backends" \ --set 'description:Exports the contents of all non-administrative backends to LDIF, gzip-compressed and encrypted.' \ --set ldif-directory:/opt/backup \ --set encrypt:true ``` -------------------------------- ### Configure Splunk Log Formatting for PingFederate Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This configuration snippet shows how to apply the splunk-sample profile as an outer layer over a baseline profile for PingFederate. It sets environment variables to specify the Git repository and paths for both the Splunk formatting layer and the baseline configuration. ```yaml services: pingfederate: image: pingidentity/pingfederate:${PING_IDENTITY_DEVOPS_TAG} environment: # Outer layer: Splunk log formatting - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=splunk-sample/pingfederate - SERVER_PROFILE_PARENT=BASELINE # Base layer: standard configuration - SERVER_PROFILE_BASELINE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_BASELINE_PATH=baseline/pingfederate ``` -------------------------------- ### Configure PingDirectoryProxy Automatic Server Discovery Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Use this snippet to configure PingDirectoryProxy for automatic discovery of PingDirectory backends. It supports multi-region deployments by deriving failover locations from K8S_CLUSTERS and K8S_CLUSTER environment variables. ```yaml # Kubernetes deployment snippet services: pingdirectoryproxy: image: pingidentity/pingdirectoryproxy:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pingdirectoryproxy-automatic-server-discovery/pingdirectoryproxy # Required for multi-region failover hook - JOIN_PD_TOPOLOGY=true # Comma-separated list of all cluster names - K8S_CLUSTERS=us-east-1,us-west-2 # The local cluster name (used as the local proxy location) - K8S_CLUSTER=us-east-1 # Optional: explicit ordered failover preference - PREFERRED_FAILOVER_LOCATIONS=us-west-2 ``` -------------------------------- ### Configure PingDirectory Delegated Admin API Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Configures the Delegated Admin REST API in PingDirectory, including defining resource types for users and groups, and setting up token validation against PingFederate. ```bash # baseline/pingdirectory/pd.profile/dsconfig/50-delegated-admin.dsconfig # Create REST resource types exposed via the Delegated Admin API dsconfig create-rest-resource-type \ --type user \ --type-name users \ --set "display-name:Users" \ --set enabled:true \ --set "search-base-dn:ou=people,${USER_BASE_DN}" \ --set primary-display-attribute-type:cn \ --set resource-endpoint:users \ --set structural-ldap-objectclass:inetOrgPerson dsconfig create-rest-resource-type \ --type group \ --type-name groups \ --set "display-name:Groups" \ --set enabled:true \ --set "search-base-dn:ou=groups,${USER_BASE_DN}" \ --set resource-endpoint:groups \ --set structural-ldap-objectclass:groupOfUniqueNames # Token validation against PingFederate dsconfig create-external-server \ --server-name pingfederate \ --type http \ --set "base-url:https://${PF_ENGINE_PRIVATE_HOSTNAME}:${PF_ENGINE_PRIVATE_PORT_HTTPS}" \ --set "hostname-verification-method:allow-all" \ --set "trust-manager-provider:Blind Trust" dsconfig create-access-token-validator \ --validator-name "pingfederate-validator" \ --type "ping-federate" \ --set enabled:true \ --set "identity-mapper:entryUUIDMatch" \ --set "authorization-server:pingfederate" \ --set "client-id:pingdirectory" \ --set "client-secret:2FederateM0re" ``` -------------------------------- ### Grant Admin Rights with dsconfig Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Use this command to grant administrative rights to a user. Ensure the USER_BASE_DN environment variable is set. ```bash dsconfig create-delegated-admin-rights \ --rights-name deladmin \ --set enabled:true \ --set admin-user-dn:uid=administrator,ou=people,${USER_BASE_DN} ``` -------------------------------- ### PingDirectory dsconfig for Root DNs Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Configures root DN users for PingDirectory, including the Directory Manager and service accounts for peer products. Variables are available via environment substitution. ```bash # baseline/pingdirectory/pd.profile/dsconfig/10-root-dns.dsconfig # Create service account root DN users consumed by peer products dsconfig set-root-dn-user-prop \ --user-name "Directory Manager" \ --add "alternate-bind-dn:${ROOT_USER_DN}" dsconfig create-root-dn-user \ --user-name "pingdatasync" \ --set alternate-bind-dn:cn=sync \ --set inherit-default-root-privileges:false \ --set privilege:bypass-acl \ --set privilege:bypass-pw-policy \ --set privilege:config-read \ --set privilege:password-reset \ --set privilege:unindexed-search \ --set password<${ROOT_USER_PASSWORD_FILE} dsconfig create-root-dn-user \ --user-name pingfederate \ --set alternate-bind-dn:cn=pingfederate \ --set inherit-default-root-privileges:false \ --set privilege:password-reset \ --set privilege:proxied-auth \ --set privilege:unindexed-search \ --set privilege:config-read \ --set is-proxyable:prohibited \ --set password<${ROOT_USER_PASSWORD_FILE} dsconfig create-root-dn-user \ --user-name pingauthorize \ --set alternate-bind-dn:cn=pingauthorize \ --set inherit-default-root-privileges:false \ --set privilege:password-reset \ --set privilege:proxied-auth \ --set privilege:unindexed-search \ --set search-result-entry-limit:100000 \ --set password<${ROOT_USER_PASSWORD_FILE} ``` -------------------------------- ### Run PingToolkit Standalone Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This command runs the PingToolkit container in detached mode. PingToolkit is a minimal Alpine container with Ping Identity Docker hooks, useful as a Kubernetes init container. ```bash # Run PingToolkit standalone (enters a holding tail -f /dev/null state) docker run -d --name pingtoolkit pingidentity/pingtoolkit:edge ``` -------------------------------- ### PingAccess Environment Variables Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Configures environment variables for PingAccess, including log level and hostnames. This file overrides image defaults. ```bash # baseline/pingaccess/env_vars # .suppress-container-warning disables a warning that this file overrides image defaults export PA_LOG_LEVEL=${PA_LOG_LEVEL:=INFO} export PF_ENGINE_PRIVATE_HOSTNAME=${PF_ENGINE_PRIVATE_HOSTNAME:=pingfederate} export PF_ENGINE_PRIVATE_PORT_HTTPS=${PF_ENGINE_PRIVATE_PORT_HTTPS:=9031} export PF_ADMIN_PRIVATE_HOSTNAME=${PF_ADMIN_PRIVATE_HOSTNAME:=pingfederate} export PF_ADMIN_PORT=${PF_ADMIN_PORT:=9999} export PD_ENGINE_PRIVATE_HOSTNAME=${PD_ENGINE_PRIVATE_HOSTNAME:=pingdirectory} export PD_ENGINE_PRIVATE_PORT_HTTPS=${PD_ENGINE_PRIVATE_PORT_HTTPS:=1443} export PING_IDENTITY_PASSWORD=${PING_IDENTITY_PASSWORD:=2FederateM0re} export PA_CONSOLE_HOST=${PA_CONSOLE_HOST:=pingaccess-admin} export PA_ADMIN_PRIVATE_HOSTNAME=${PA_ADMIN_PRIVATE_HOSTNAME:=pingaccess-admin} export PA_ADMIN_PRIVATE_PORT_HTTPS=${PA_ADMIN_PRIVATE_PORT_HTTPS:=9000} ``` -------------------------------- ### Display Action Buttons Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Displays localized text for 'allow' and 'deny' action buttons. ```HTML/JSP $pluginTemplateMessages.getMessage("allow") $pluginTemplateMessages.getMessage("deny") ``` -------------------------------- ### Layered PingFederate Profiles with Docker Compose Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This Docker Compose configuration demonstrates layering multiple PingFederate server profiles using SERVER_PROFILE_PARENT. Each layer builds upon the previous one. ```yaml version: "3.1" services: pingfederate: image: pingidentity/pingfederate:${PING_IDENTITY_DEVOPS_TAG} environment: # Layer 1 (outermost/applied last): Product license - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=layered-profiles/license/pingfederate - SERVER_PROFILE_PARENT=EXTENSIONS # Layer 2: AWS, Azure AD, Slack connector extensions (JAR files) - SERVER_PROFILE_EXTENSIONS_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_EXTENSIONS_PATH=layered-profiles/extensions/pingfederate - SERVER_PROFILE_EXTENSIONS_PARENT=OAUTH # Layer 3: OAuth configuration overlay - SERVER_PROFILE_OAUTH_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_OAUTH_PATH=layered-profiles/oauth/pingfederate - SERVER_PROFILE_OAUTH_PARENT=GETTING_STARTED # Layer 4 (base): Getting-started PingFederate profile - SERVER_PROFILE_GETTING_STARTED_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_GETTING_STARTED_PATH=getting-started/pingfederate ports: - 9031:9031 - 9999:9999 networks: - pingnet networks: pingnet: ``` -------------------------------- ### PingDirectory Environment Variables Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Configures environment variables for PingDirectory, including public hostnames and ports. These variables can be overridden by the orchestration layer. ```bash # baseline/pingdirectory/env_vars export PD_DELEGATOR_PUBLIC_HOSTNAME=${PD_DELEGATOR_PUBLIC_HOSTNAME:=localhost} export PF_ENGINE_PUBLIC_HOSTNAME=${PF_ENGINE_PUBLIC_HOSTNAME:=localhost} export PF_ENGINE_PUBLIC_PORT_HTTPS=${PF_ENGINE_PUBLIC_PORT_HTTPS:=9031} export CERTIFICATE_NICKNAME=${CERTIFICATE_NICKNAME:=ping} ``` -------------------------------- ### PingAccess Docker Compose for Clustering Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This Docker Compose configuration sets up a clustered PingAccess environment. It defines services for the PingAccess console and engine, specifying image versions, environment variables for profile configuration, and network settings. ```yaml version: "3.1" services: pingaccess: image: pingidentity/pingaccess:edge healthcheck: test: ["CMD-SHELL", "curl -s -u administrator:2FederateM0re -H \"X-XSRF-Header: PingAccess\" -k https://localhost:9000/pa-admin-api/v3/sites | jq -e '.items[0].name'"] interval: 10s timeout: 3s environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pa-clustering/pingaccess - OPERATIONAL_MODE=CLUSTERED_CONSOLE - PA_CONSOLE_HOST=pingaccess - INITIAL_ADMIN_PASSWORD=2FederateM0re env_file: - ~/.pingidentity/config ports: - 9000:9000 networks: - pingnet cap_add: - NET_ADMIN pingaccess-engine: image: pingidentity/pingaccess:edge command: wait-for pingaccess:9000 -t 420 -- entrypoint.sh start-server environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pa-clustering/pingaccess - OPERATIONAL_MODE=CLUSTERED_ENGINE - PA_CONSOLE_HOST=pingaccess - INITIAL_ADMIN_PASSWORD=2FederateM0re ports: - 3000:3000 networks: - pingnet networks: pingnet: ``` -------------------------------- ### Iterate and Display Scope Descriptions Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Loops through a map of scope descriptions and displays each escaped description. ```HTML/JSP #foreach( $scopeEntry in $scopeDescriptions.entrySet() ) $escape.escape($scopeEntry.getValue()) #end ``` -------------------------------- ### Submit Approval Response (Allow) Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html JavaScript function to set the form action to the allow URL and submit the form, processing the user's approval. ```JavaScript function postResponseAllow() { document.forms[0].action = $allowAction; document.forms[0].submit(); } ``` -------------------------------- ### Display Dynamic Page Title Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Retrieves and displays the page title using a message key from the template messages. ```HTML/JSP $pluginTemplateMessages.getMessage("title") ``` -------------------------------- ### Create Base DN Tree with ACI Grants Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt Defines the base DN structure for PingDirectory, including organizational units for people, groups, and OAuth clients. It also sets Access Control Instructions (ACIs) to grant specific permissions to PingFederate and other services. ```ldif dn: ${USER_BASE_DN} objectClass: top objectClass: ${BASE_CLASS} ${BASE_ATTRIBUTE}: ${BASE_VALUE} aci: (targetattr="userPassword")(version 3.0; acl "Allow users to update their own password"; allow (write) userdn="ldap:///self";) aci: (version 3.0; acl "PingFed Proxy Access"; allow(proxy) userdn="ldap:///cn=pingfederate,cn=root dns,cn=config";) aci: (targetattr!="userPassword")(version 3.0; acl "Allow the pingfederate user to do everything in this branch"; allow(all) userdn="ldap:///cn=pingfederate,cn=root dns,cn=config";) dn: ou=people,${USER_BASE_DN} objectClass: top objectClass: organizationalUnit ou: People dn: ou=groups,${USER_BASE_DN} objectClass: top objectClass: organizationalUnit ou: groups dn: ou=oauthClients,${USER_BASE_DN} aci: (targetattr="*")(version 3.0; acl "Allow the pingfederate user to do everything in this branch"; allow(all) userdn="ldap:///cn=pingfederate,cn=root dns,cn=config";) objectClass: top objectClass: organizationalUnit ou: oauthClients ``` -------------------------------- ### Configure PingDataConsole SSO with PingOne Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This configuration enables OIDC-based SSO from PingOne to PingDataConsole. Ensure PingDataConsole and PingDirectory are version 8.2.0.0 or later. The issuer URI must match your PingOne application's issuer. ```yaml # Environment variables required for PingDataConsole SSO services: pingdataconsole: image: pingidentity/pingdataconsole:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pingdataconsole-sso/pingdataconsole # SSO configuration — values come from your PingOne application - PD_CONSOLE_SSO_ENABLED=true - PD_CONSOLE_SSO_ISSUER_URI=https://auth.pingone.com/{envId}/as - PD_CONSOLE_SSO_CLIENT_ID= - PD_CONSOLE_SSO_CLIENT_SECRET= pingdirectory: image: pingidentity/pingdirectory:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pingdataconsole-sso/pingdirectory # Issuer must match the PingOne application issuer - PD_CONSOLE_SSO_ISSUER_URI=https://auth.pingone.com/{envId}/as ``` -------------------------------- ### Display Info Message with Client ID Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Displays an informational message, including the escaped client ID, using a specific message key. ```HTML/JSP $pluginTemplateMessages.getMessage("", "info.1", $escape.escape($client_id)) ``` -------------------------------- ### Configure Telegraf to Scrape PingFederate JMX Metrics Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This Telegraf configuration scrapes JMX metrics from PingFederate via Jolokia on port 9031. It is designed to forward metrics to a time-series database. ```toml # monitoring/pingfederate/telegraf/etc/telegraf/telegraf.conf.subst # Telegraf scrapes Jolokia on port 9031 for PingFederate JMX metrics [agent] interval = "1s" flush_interval = "10s" [[inputs.jolokia2_agent]] urls = ["http://localhost:9031/jolokia"] response_timeout = "3s" [[inputs.jolokia2_agent.metric]] name = "java_memory" mbean = "java.lang:type=Memory" paths = ["HeapMemoryUsage", "NonHeapMemoryUsage"] [[inputs.jolokia2_agent.metric]] name = "pingfederate" mbean = "pingfederate:type=*" paths = ["Count"] [[inputs.jolokia2_agent.metric]] name = "jetty_connector_stats" mbean = "org.eclipse.jetty.server:context=*,id=*,type=connectorstatistics" paths = ["bytesIn", "bytesOut", "connections", "connectionsOpen", "messagesOutPerSecond"] ``` -------------------------------- ### Submit Approval Response (Deny) Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html JavaScript function to set the form action to the deny URL and submit the form, processing the user's denial. ```JavaScript function postResponseDeny() { document.forms[0].action = $denyAction; document.forms[0].submit(); } ``` -------------------------------- ### Prevent Clickjacking with X-Frame-Options Header Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Sets the X-Frame-Options header to DENY to prevent the browser from rendering this page within a frame, mitigating Clickjacking attacks. ```HTML/JSP $HttpServletResponse.setHeader("X-Frame-Options", "DENY") ``` -------------------------------- ### Display Global Footer Message Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Displays a global footer message defined in the template messages. ```HTML/JSP $pluginTemplateMessages.getMessage("global.footerMessage") ``` -------------------------------- ### PingFederate DNS_PING Clustering Docker Compose Source: https://context7.com/pingidentity/pingidentity-server-profiles/llms.txt This Docker Compose snippet configures PingFederate for DNS_PING clustering, suitable for PingFederate 10+. It layers the clustering profile on top of a baseline profile and specifies environment variables for operational mode and DNS query location. ```yaml services: pingfederate-admin: image: pingidentity/pingfederate:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pf-dns-ping-clustering/pingfederate - SERVER_PROFILE_PARENT=BASELINE - SERVER_PROFILE_BASELINE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_BASELINE_PATH=baseline/pingfederate - OPERATIONAL_MODE=CLUSTERED_CONSOLE - DNS_QUERY_LOCATION=pingfederate-admin pingfederate-engine: image: pingidentity/pingfederate:${PING_IDENTITY_DEVOPS_TAG} environment: - SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_PATH=pf-dns-ping-clustering/pingfederate - SERVER_PROFILE_PARENT=BASELINE - SERVER_PROFILE_BASELINE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git - SERVER_PROFILE_BASELINE_PATH=baseline/pingfederate - OPERATIONAL_MODE=CLUSTERED_ENGINE - DNS_QUERY_LOCATION=pingfederate-admin ``` -------------------------------- ### Display Escaped Client ID Source: https://github.com/pingidentity/pingidentity-server-profiles/blob/master/oauthplayground-ciba/pingfederate/instance/server/default/conf/template/request.approval.page.html Displays the client ID after escaping it to prevent cross-site scripting vulnerabilities. ```HTML/JSP $escape.escape($client_id) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.