Configuring SAML SSO with UltiPro and PingFederate
Learn how to enable UltiPro sign-on from the PingFederate console (IdP-initiated sign-on) and direct UltiPro sign-on using PingFederate (SP-initiated sign-on).
Before you begin
-
Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
-
Populate UltiPro with at least one user to test access.
-
You must have administrative access to PingFederate.
Create a PingFederate SP connection for UltiPro
-
Sign on to the PingFederate administrative console.
-
Create an SP connection for UltiPro in Ping Federate:
-
Configure using Browser SSO profile SAML 2.0.
-
Set Partner’s Entity ID to
placeholder.You’ll change this later.
-
Enable the following SAML Profiles:
-
IdP-Initiated SSO
-
SP Initiated SSO
-
-
In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map the SAML_SUBJECT.
-
In Protocol Settings: Assertion Consumer Service URL, set Binding to POST, and set Endpoint URL to
https://placeholder.You’ll change the Endpoint URL later.
-
In Protocol Settings: Allowable SAML Bindings, enable POST.
-
In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
-
-
Export the metadata for the newly created UltiPro SP connection.
-
Export the signing certificate.
Add the PingFederate connection to UltiPro
-
Contact UltiPro Customer Support and request that SAML 2 be enabled for your organization.
-
Provide them with the downloaded PingFederate signing certificate and metadata.
-
Request their ACS URL and EntityID values.
Update the ACS URL values in PingFederate
-
Sign on to the PingFederate administrative console.
-
Edit the SP connection for UltiPro.
-
Set Partner’s Entity ID to the UltiPro Entity ID value.
-
In Protocol Settings: Assertion Consumer Service URL, set Endpoint URL to the UltiPro Assertion Consumer Service URL value.
-
Save the changes.