Promoting SAML applications
You can promote the SAML applications assigned to you.
Before you begin
Prepare to provide the following:
-
Entity ID: used to uniquely identify the application and obtained from the service provider ACS URL, the application’s URL to which SAML assertions from the identity provider will be sent after user authentication occurs.
-
ACS URL(s): the application’s URL to which SAML assertions from the identity provider will be sent after user authentication occurs.
-
SLO Service URL(s): the application’s URL utilized for single logout (SLO) functionality.
-
SP certificates: if the template you select is based on a PingFederate connection that requires a certificate.
-
An assertion encryption certificate: required if encryption is enabled for the connection.
Steps
-
To promote the application to an environment, click the Expand icon associated with the application, select the Promote tab, and click Promote.
If an environment is offline or if a PingCentral administrator has set the environment status to Disabled, you will be unable to promote the application to a disabled or offline environment.
-
In the Available Environments list, select the environment to which you want to promote the application.
If you have the Application Owner role, you cannot promote applications to protected environments, which have shield icons associated with them.
-
In the Entity ID, ACS URL, and SLO Service URL fields, enter the appropriate information.
If you provided a metadata file when you added your application to PingCentral, the Promote to Environment window is prepopulated with the information from the other SAML application. You can modify this information as necessary.
-
In the Signing Certificate list, select the appropriate certificate:
-
If the PingFederate environment contains signing certificates, those certificates display in the list.
-
The signing certificate added to the environment when it was created or last updated displays as the Environment Default certificate.
-
If signing certificates are not available in the PingFederate environment and an environment default certificate isn’t available, or if an environment default certificate is available but expired, the Automatically generate certificate option displays in the list.
If you used signing certificates that were automatically generated to promote applications in PingCentral 1.7 or earlier, and you want to promote those applications to the same environments, you need to locate the signing certificates. Search for a signing certificate with a subject DN that matches the name of the application and select it as the signing certificate.
-
-
Upload SP certificates, if required.
SP certificates are required for PingFederate SP connections when:
-
Either of the single logout (SLO) options, IdP-Initiated-SLO or SP-Initiated-SLO, are selected as the SAML profile.
-
Digital signatures are required, and the Signature Policy is set to the Require authn requests to be signed when received via the POST or redirect bindings option.
-
Inbound backchannel authentication is configured. For more information, see the following topics in the PingFederate Server Guide:
-
-
If encryption is enabled for the connection, click in the Assertion Encryption Certificate field. Select an assertion encryption certificate used for a previous promotion in the list or provide a new one.
Only whole encryption is currently supported, so if a connection has attributes specified for encryption, the promotion will fail.
-
Optional: If curly brackets display in the upper right corner of the window, you can customize the raw JSON yourself.
-
Click the curly brackets.
Result:
The raw JSON displays in the window.
-
Update the JSON to meet your needs. This information is validated as you make updates to help prevent mistakes.
-
Click Promote.
-
-
Verify that the information displayed in the Promote to Environment window is correct and click Promote.
Result:
PingCentral promotes your application to the designated environment in PingFederate. The new promotion shows in theHistory section of the page. If the signature verification certificate used during promotion is available in the PingFederate environment, that certificate is used. If not, a new certificate is created.
-
To configure a single sign-on (SSO) connection, provide the application Entity ID and the SSO endpoint URL to your service provider.
To locate the SSO endpoint URL, click the View Connections Detail link associated with the promotion. The URL displays on the Promotion Details window.