Orchestration SDKs

Step 2. Configure connection properties

PingAM iOS

In this step, you configure the "swiftui-oidc-module" app to connect to the OAuth 2.0 application you created in PingAM, and display the login UI of the server.

  1. In Xcode, on the File menu, click Open.

  2. Navigate to the sdk-sample-apps folder you cloned in the previous step, navigate to iOS > swiftui-oidc-module, select OidcExample.xcodeproj, and then click Open.

  3. In the Project Navigator pane, navigate to OidcExample > OidcExample > ViewModels, and open the OidcLoginViewModel file.

  4. Locate the OidcWebClient.createOidcWebClient method and update it with the values from your PingAM tenant.

    The function is commented with //TODO: in the source to make it easier to locate. 
    public let oidcLogin = OidcWebClient.createOidcWebClient { config in
    //TODO: Provide here the Server configuration.
    config.browserMode = .login
    config.browserType = .authSession
    config.logger = LogManager.standard

    config.module(PingOidc.OidcModule.config) { oidcValue in
        oidcValue.clientId = "sdkPublicClient"
        oidcValue.scopes = Set(["openid", "email", "address", "profile"])
        oidcValue.redirectUri = "com.example.demo://oauth2redirect"
        oidcValue.discoveryEndpoint = "https://openam.example.com:8443/openam/oauth2/realms/root/.well-known/openid-configuration"
        // Optional: Add ACR values if required by your authentication flow
        // oidcValue.acrValues = "ACR_VALUE"
    }
}
    clientId

    The client ID from your OAuth 2.0 application in PingAM.

    For example, sdkPublicClient

    scopes

    The scopes you added to your OAuth 2.0 application in PingAM.

    For example, "openid", "email", "address", "profile"

    redirectUri

    The redirect_uri to return to after logging in with the server UI, for example the URI to your client app.

    This value must exactly match a value configured in your OAuth 2.0 client.

    For example, com.example.demo://oauth2redirect.

    discoveryEndpoint

    The .well-known endpoint from your PingAM tenant.

    How do I find my PingAM .well-known URL?

    To form the .well-known URL for an PingAM server, concatenate the following information into a single URL:

    1. The base URL of the PingAM component of your deployment, including the port number and deployment path.

      For example, https://openam.example.com:8443/openam

    2. The string /oauth2

    3. The hierarchy of the realm that contains the OAuth 2.0 client.

      You must specify the entire hierarchy of the realm, starting at the Top Level Realm. Prefix each realm in the hierarchy with the realms/ keyword.

      For example, /realms/root/realms/customers

      If you omit the realm hierarchy, the top level ROOT realm is used by default.

    4. The string /.well-known/openid-configuration

    For example, https://openam.example.com:8443/openam/oauth2/realms/root/.well-known/openid-configuration

    For example, https://openam.example.com:8443/openam/oauth2/realms/root/.well-known/openid-configuration

    Optionally, customize the following properties:

    browserType

    You can specify what type of browser the client iOS device opens to handle centralized login.

    Each browser has slightly different characteristics, which make them suitable to different scenarios, as outlined in this table:

    Browser type Characteristics

    .authSession

    Opens a web authentication session browser.

    Designed specifically for authentication sessions, however it prompts the user before opening the browser with a modal that asks them to confirm the domain is allowed to authenticate them.

    This is the default option in the Orchestration SDK for iOS.

    .ephemeralAuthSession

    Opens a web authentication session browser, but enables the prefersEphemeralWebBrowserSession parameter.

    This browser type does not prompt the user before opening the browser with a modal.

    The difference between this and .authSession is that the browser does not include any existing data such as cookies in the request, and also discards any data obtained during the browser session, including any session tokens.

    When is ephemeralAuthSession suitable:

    • ephemeralAuthSession is not suitable when you require single sign-on (SSO) between your iOS apps, as the browser will not maintain session tokens.

    • ephemeralAuthSession is not suitable when you require a session token to log a user out of the server, for example for logging out of PingOne, as the browser will not maintain session tokens.

    • Use ephemeralAuthSession when you do not want the user’s existing sessions to affect the authentication.

    .nativeBrowserApp

    Opens the installed browser that is marked as the default by the user. Often Safari.

    The browser opens without any interaction from the user. However, the browser does display a modal when returning to your application.

    .sfViewController

    Opens a Safari view controller browser.

    Your client app is not able to interact with the pages in the sfViewController or access the data or browsing history.

    The view controller opens within your app without any interaction from the user. As the user does not leave your app, the view controller does not need to display a warning modal when authentication is complete and control returns to your application.
    acrValues

    Enter one or more of the ACR mapping keys as configured in the OAuth 2.0 provider service.

    You can list the available keys by inspecting the acr_values_supported property in the output of your /oauth2/.well-known/openid-configuration endpoint.

  5. Save your changes.