Add ROPC related setup to PingFederate with Active Directory guide (#64)

Add ROPC related setup to PingFederate with Active Directory guide --------- Co-authored-by: goodroot <[email protected]>
questdb · Oct 16, 2024 · 66f1f0f · 66f1f0f
1 parent 8085bca
commit 66f1f0f
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/guides/active-directory-pingfederate.md b/guides/active-directory-pingfederate.md
@@ -321,15 +321,46 @@ The value is `memberOf`.
   jumbo={true}
 />
 
-## Confirm QuestDB Mappings, login
+## Enable Resource Owner Password Credentials (ROPC) flow
+
+As described in the
+[OIDC operations document](/docs/operations/openid-connect-oidc-integration/#enable-ropc)
+tools - such as `psql` - can be integrated with the OIDC provider using the ROPC flow.
+
+When setting this flow up, enable the Resource Owner Password Credentials flow in the
+client settings:
+
+<Screenshot
+  alt="PingFederate, enable ROPC for the client"
+  src="/img/guides/active-directory/21.webp"
+  title="Click to zoom"
+  jumbo={true}
+/>
+
+Next, create a Resource Owner Credentials Grant Mapping to map values obtained from
+the Password Credential Validator (PCV) into the persistent grants.
+
+When setting this up, select the previously created LDAP Data Source and IdP Adapter, which links
+to the existing PCV.
+
+Then select the `username` attribute of the PCV as `USER_KEY`:
+
+<Screenshot
+alt="PingFederate, ROPC grant mappings"
+src="/img/guides/active-directory/22.webp"
+title="Click to zoom"
+jumbo={true}
+/>
+
+## Confirm QuestDB mappings and login
 
 QuestDB requires a mapping, as laid out in the
 [OIDC operations document](/docs/operations/openid-connect-oidc-integration/#mapping-user-permissions).
 
 If a given user has the HTTP permission, they will be able to now login via the
 [Web Console](/docs/web-console/).
 
-Head to [http://localhost:9000](http://localhost:9000) and login, to test.
+To test, head to [http://localhost:9000](http://localhost:9000) and login.
 
 If all has been wired up well, then login will succeed.
 

diff --git a/operations/openid-connect-oidc-integration.mdx b/operations/openid-connect-oidc-integration.mdx
@@ -3,7 +3,7 @@ title: OpenID Connect (OIDC) Integration
 description: ""
 ---
 
-import Screenshot from "@theme/Screenshot"
+import Screenshot from "@theme/Screenshot";
 
 OpenID Connect (OIDC) integrates with Identity Providers (IdP) external to
 QuestDB.
@@ -438,7 +438,7 @@ with request.urlopen(req) as f:
     access_token = resp["access_token"]
 ```
 
-#### Enable ROPC in QuestDB
+#### Enable ROPC
 
 The Resource Owner Password Credentials flow can be enabled in QuestDB within
 `server.conf`:
@@ -447,6 +447,10 @@ The Resource Owner Password Credentials flow can be enabled in QuestDB within
 acl.oidc.ropc.flow.enabled = true
 ```
 
+> Note that the flow also has to be configured in the OAuth2/OIDC provider.
+> See an example using
+> [PingFederate with Active Directory](/docs/guides/active-directory-pingfederate/#enable-resource-owner-password-credentials-ropc-flow).
+
 Now we can use Basic Authentication to simplify our code. We send the
 credentials to QuestDB, and the database will validate the credentials against
 the OAuth2 provider.