Connecting to a custom SAML provider
Any federated identity management service that supports SAML 2.0 can operate as a PingOne for Enterprise identity bridge.
About this task
You supply the PingOne for Enterprise connection details to the identity provider (IdP) administrator to configure the identity repository side of the connection, and you use the SAML connection settings supplied by the identity repository administrator to configure the PingOne for Enterprise side of the connection.
You can make the configuration entries manually or use metadata files to upload the information on both the identity repository side and the PingOne for Enterprise side.
Steps
-
In PingOne for Enterprise, select the public signing certificate for your identity bridge. You can choose either:
Choose from:
-
Primary Certificate: When you select the primary certificate, the PingOne for Enterprise metadata for download contains both the primary and the renewal certificates.
-
Renewal Certificate: When you select the renewal certificate, the PingOne for Enterprise metadata for download contains only the renewal certificate. A renewal certificate is available only thirty days before the expiration of the primary certificate.
PingOne for Enterprise uses this certificate on your behalf to sign SAML assertions sent to your IdP.
-
-
If you’re configuring the identity bridge to support connections to multiple PingOne for Enterprise accounts, select Enable Account-Specific Entity ID.
In some cases, your organization may want to configure the identity bridge to support connections to multiple PingOne for Enterprise accounts. A typical scenario is organizations needing distinct connections from a number of divisions or subsidiaries.
PingOne for Enterprise supports these types of multiple connections through the identity bridge setup option
Enable account-specific Entity IDs
. Choosing this option creates a unique Entity ID based on your PingOne for Enterprise account (Company ID). This custom Entity ID is written to the PingOne for Enterprise metadata file that you download for import to your identity bridge.When changing an existing Entity ID for a PingOne for Enterprise identity repository, you also need to see that this value is changed on the IdP. Otherwise, SSO can be disrupted.
To make use of PingOne for Enterprise’s account-specific IDs for multiple connections to a single identity bridge instance, your identity bridge needs to support the PingFederate concept of "virtual server IDs". This is an identity bridge feature for aliasing Entity IDs (connection IDs) for use by multiple service provider (SP)s. Using account-specific IDs, PingOne for Enterprise effectively impersonates multiple SPs.
-
A default Entity ID is displayed. You can accept the default value, which is uniquely-generated PingOne for Enterprise, or click the edit icon to enter your own Entity ID value.
The Entity ID you enter is validated to ensure that it is unique in PingOne for Enterprise.
-
-
Optional: Select Sign the AuthnRequest from PingOne to have PingOne for Enterprise sign connection requests on your behalf.
PingOne for Enterprise uses the public verification certificate you assign to your IdP.
When checked,
AuthnRequestsSigned="true"
is added to the PingOne for Enterprisemetadata for download. When unchecked,AuthnRequestsSigned="false"
is added. -
In the Signing Algorithmlist, select the algorithm used to sign both authentication and single logout (SLO) requests.
If you’re setting up a new identity bridge, the signing algorithm defaults to the recommended SHA-256.
If you have an existing identity bridge configuration, SHA-1 may be displayed as the default signing algorithm. We recommend you change it to SHA-256.
-
Assign the PingOne for Enterprise connection settings in your IdP:
Choose from:
-
Download the PingOne metadata for import to your IdP: All of the necessary PingOne for Enterprise connection information is contained in the metadata.
The PingOne for Enterprise metadata includes the encryption certificate and the primary and renewal certificates or only the renewal certificate if you selected Renewal certificate for the public signing certificate.
-
Enter the PingOne for Enterprise connection information manually in your IdP. The following SAML parameters are required for assignment at your identity bridge:
You might want to download the PingOne for Enterprise metadata and reference the settings in the metadata file when assigning the parameter settings.
- PingOne Entity ID
-
A globally unique name identifying PingOne for Enterprise as a SAML entity.
- Assertion Consumer Service URL
-
The Assertion Consumer Service (ACS) URL used by PingOne for Enterprise to receive the AuthnResponse from your identity bridge indicating whether a user has been successfully authenticated for single sign-on (SSO).
- SSO
-
Indicates whether SSO is initiated by the SP or by the IdP.
- RelayState
-
The target resource used by PingOne for Enterprise to continue SSO to a particular application when initiating SSO from the IdP. If you’re using IdP-initiated SSO, you need to include the SaaS ID either in this target resource or in the
ACS URL Parameter
. - ACS URL Parameter
-
A query parameter added to the
Assertion Consumer Service URL
to direct PingOne for Enterprise to continue SSO to a particular application when initiating SSO from the identity bridge. If you’re using IdP-initiated SSO, you need to include the SaaS ID either here or in theRelayState
value. - Outbound
-
The binding for outbound exchanges. Use POST.
- Inbound
-
The binding for inbound exchanges. Use Redirect.
- Protocol
-
The protocol to use for authentication assertions. Use SAML 2.0.
- Profile
-
The method the identity bridge uses to send an assertion to PingOne for Enterprise. POST is the default.
- Request Binding
-
The method PingOne for Enterprise uses to request an assertion. Redirect is the default.
-
-
Click to download the Signing Certificate and Encryption Certificate.
-
In your IdP, do one of the following:
Choose from:
-
Upload or import the PingOne for Enterprise metadata file. The required SAML parameters will be assigned based on the settings in the metadata file.
-
Manually assign the SAML parameter settings required for the PingOne for Enterprise connection. Reference the PingOne for Enterprise metadata file, if necessary.
-
-
In your IdP, select a method to assign the IdP connection settings in PingOne for Enterprise in the next step:
Choose from:
-
Export your IdP metadata file for import into PingOne for Enterprise. The metadata must be in UTF-8 format without a byte order mark (BOM).
-
Enter the following IdP connection information manually into PingOne for Enterprise. Reference the IdP metadata file, if necessary.:
- Entity ID
-
Uniquely identifies the identity bridge to PingOne for Enterprise. This identifier is used in the
Issuer
element of the SAML assertion sent to us by the identity bridge.To ensure against possible identifier conflicts with the
idpid
, the Entity ID must be unique, unless you’re assigning the Entity ID value for a private, managed application (an application that is supplied and configured by a PingOne for Enterprise administrator, rather than by an SP). - SSO Endpoint
-
The endpoint at your identity bridge to which PingOne for Enterprise sends AuthnRequests, using the Redirect method you assigned to the
Request Binding
attribute for your identity bridge. - Verification Certificate
-
The public verification certificate for your identity bridge. PingOne for Enterprise will use this certificate on your behalf to sign SAML assertions. Ensure that your IdP imports and recognizes this verification certificate.
- Secondary Verification Certificate
-
A second certificate that PingOne for Enterprise can use to sign SAML assertions on your behalf if verification fails when using your primary certificate. Ensure that your IdP imports and recognizes this verification certificate.
- Single Logout Endpoint
-
(Optional) The endpoint URL configured for the identity bridge to which PingOne for Enterprise sends SAML single logout (SLO) requests. The SLO process uses the binding you choose for the
Single Logout Binding Type
attribute. - Single Logout Response Endpoint (IdP)
-
(Optional) The endpoint (URL) configured for the identity bridge to which PingOne for Enterprise sends SLO responses. If you do not assign a value here,
Single Logout Endpoint
is also used as the response endpoint. The SLO process uses the binding you choose for theSingle Logout Binding Type
attribute. - Single Logout Binding Type
-
The binding type determines how the SAML protocol uses another protocol (in this case, HTTP) to transport messages. The SAML SLO process can use either the POST or Redirect methods.
-
-
In PingOne for Enterprise, assign the IdP connection settings in PingOne for Enterprise:
Choose from:
-
Select to import your IdP connection metadata. The SAML parameters required for the IdP connection will be assigned based on the settings in the metadata file.
-
Use the list of connection settings you copied from your identity bridge to enter settings for the PingOne for Enterprise attributes displayed.
-
-
Ensure that the connection settings are correct.
-
Assign the IdP-to-PingOne for Enterprise attribute mapping.
This assignment maps identity provider attributes to the default attributes used by PingOne for Enterprise dock. This attribute mapping is not used by applications that you add to PingOne for Enterprise. Configure those attribute mappings for each application.
-
Optional: For any of the attribute mappings, configure an advanced mapping.
For instructions, see Creating advanced attribute mappings.
-
Click Done.
-
-
Click Finish.
Result
When you return to Setup → Identity Repository, you see a summary of the settings for your identity bridge.
Next steps
You can click Edit to modify the settings. You can also copy the PingOne Metadata URL and use it to keep your IdP configuration updated with PingOne for Enterprise metadata.