PingOne for Enterprise

Connect to ADFS

PingOne uses the SAML protocol to connect to Microsoft Active Directory Federation Services (ADFS).

About this task

To configure the identity repository side of the connection, you will need to supply the PingOne SAML connection settings to your ADFS administrator. To configure the PingOne side of the connection, the ADFS administrator will need to supply you with the ADFS SAML connection settings. We recommend using metadata files to update these settings, although you can configure the settings manually.

Steps

  1. Go to Setup → Identity Repository, click Connect to an Identity Repository, and select Microsoft ADFS.

  2. Click Next.

  3. From the Choose Signing Certificate list, select the signing certificate for PingOne to use to sign SAML assertions sent to ADFS.

  4. Click Download PingOne Metadata.

    The PingOne metadata includes all of the necessary PingOne connection information, including the encryption certificate and the primary and renewal certificates.

  5. Click Next.

  6. Assign the ADFS SAML connection settings in PingOne:

    Choose from:

    • Click the Import Your ADFS SAML Connection Metadata button. Click either Select File or Use URL.

      The SAML parameters required for the PingOne side of the connection will be automatically assigned based on the settings in the metadata.

      The SAML connection metadata must be in UTF-8 format without a byte order mark (BOM).
    • Manually enter the values for these SAML connection settings used by ADFS:

      Entity ID

      Uniquely identifies the identity bridge to PingOne. This identifier is used in the Issuer element of the SAML assertion sent to us by the identity bridge.

      To ensure against possible identifier conflicts with the idpid, the Entity ID must be unique, unless you’re assigning the Entity ID value for a private, managed application (an application that is supplied and configured by a PingOne for Enterprise administrator, rather than by an SP).

      SSO Endpoint

      The endpoint at your identity bridge to which PingOne sends AuthnRequests (using the Redirect method you assigned to the Request Binding attribute for your identity bridge).

      Verification Certificate

      The public verification certificate for your identity bridge. PingOne will use this certificate on your behalf to sign SAML assertions. Ensure that your IdP imports and recognizes this verification certificate.

      Secondary Verification Certificate

      A second certificate for us to use to sign SAML assertions on your behalf if verification fails when using your primary certificate. Ensure that your IdP imports and recognizes this verification certificate.

      Single Logout Endpoint

      (Optional) The endpoint (URL) configured for the identity bridge to which PingOne sends SAML single logout (SLO) requests. The SLO process uses the binding you choose for the Single Logout Binding Type attribute.

      Single Logout Response Endpoint (IdP)

      (Optional) The endpoint (URL) configured for the identity bridge to which PingOne sends single logout (SLO) responses. If you do not assign a value here, Single Logout Endpoint is also used as the response endpoint. The SLO process uses the binding you choose for the Single Logout Binding Type attribute.

      Single Logout Binding Type

      The binding type determines how the SAML protocol uses another protocol (in this case, HTTP) to transport messages. The SAML single logout (SLO) process can use either the POST or Redirect methods.

  7. Click Next.

  8. For each PingOne attribute, enter or select an ADFS attribute to map it to.

    For any of the attribute mappings, you can choose to configure an advanced mapping. See Creating advanced attribute mappings for instructions.

    This assignment maps identity provider attributes to the default attributes used by the PingOne dock. This attribute mapping is not used by applications that you add to PingOne. Application attributes are mapped in each application.

    Troubleshooting:

    Mapping the PingOne email attribute to a custom ADFS attribute called Email can cause ADFS to send improperly formatted SAML assertions. When mapping the ADFS claim attribute E-mail Addresses, use the default ADFS claim attribute E-mail Address instead.

  9. Click Save.

Result

When you return to Setup → Identity Repository, a summary of the settings for your ADFS identity bridge is displayed. You can click Edit to modify the settings. You can also copy the PingOne Metadata URL and use it to keep your IdP configuration updated with PingOne metadata.