Product Docs
Open Source
Education
This documentation is related to Chainguard Enforce. You can request access to the product by selecting Chainguard Enforce on the inquiry form.
The Chainguard platform supports Single sign-on (SSO) authentication for users. By default, users can log in with GitHub, GitLab and Google, but SSO support allows users to bring their own identity provider for authentication.
This guide outlines how to create a Ping Identity Application and integrate it with Chainguard Enforce. After completing this guide, you’ll be able to log in to Chainguard Enforce using Ping and will no longer be limited to the default SSO options.
To complete this guide, you will need the following.
chainctl
To integrate the Ping identity provider with the Chainguard platform, sign on to Ping Identity and navigate to the Dashboard. Click on the Connections tab in the lefthand sidebar menu, and then click on Applications in the resulting dropdown menu. From the Applications landing page, click the plus sign (➕) to set up a new application.
Configure the application as follows:
After setting these details, click the Save button.
Next, configure scopes for the application. In the Overview tab, click the Resource Access scope button.
Add email and profile scopes, then save.
Next, configure the OIDC application. Navigate to the Configuration tab and click the “edit” icon.
To configure the application, add the following settings.
Warning: Setting a grant type other than Authorization Code may compromise your security posture.
https://issuer.enforce.dev/oauth/callback
Click the Save button to save your configuration.
Finally, enable the Chainguard application by toggling the knob in the top right corner.
This completes configuration of the Ping application. You’re now ready to configure the Chainguard platform to use it.
To configure Chainguard make a note of the following settings from your Ping application. These can be found in the Ping console under the Configuration tab of the Application page.
Next, log in to Chaingaurd with chainctl, using an OIDC provider like Google, Github, or GitLab to bootstrap your account.
chainctl auth login
Note that this bootstrap account can be used as a backup account (that is, a backup account you can use to log in if you ever lose access to your primary account). However, if you prefer to remove this rolebinding after configuring the custom IDP, you may also do so.
Lastly, create a new identity provider using the Ping application details you noted previously.
export NAME=ping-id export CLIENT_ID=<your client id here> export CLIENT_SECRET=<your client secret here> export ISSUER=<your issuer url here> chainctl iam identity-provider create \ --configuration-type=OIDC \ --oidc-client-id=${CLIENT_ID} \ --oidc-client-secret=${CLIENT_SECRET} \ --oidc-issuer=${ISSUER} \ --oidc-additional-scopes=email \ --oidc-additional-scopes=profile \ --name=${NAME}
You’ll be prompted to select a Chainguard IAM group under which to install your identity provider. Your selection won’t affect how your users authenticate but will have implications on who has permission to modify the SSO configuration. For more information, check out the IAM and Security section of our Introduction to Custom Identity Providers in Chainguard.