Prepare to provide the following:

  • Name of the application
  • A brief, accurate description of your application
  • Attribute mapping information, used to map your application attributes to the identity attributes required from the identity provider to verify users' identities
  • Entity ID, used to uniquely identify the application and obtained from the service provider
  • ACS URL, the application's URL to which SAML assertions from the IdP will be sent after user authentication occurs
  • Certificates, if the template you select is based on a PingFederate connection that requires a certificate
  1. On the the Select Metadata window, you can:
    • Provide a metadata file. Click Choose file to provide the file.
    • Provide a URLto the metadata file. Click Or Use URL to provide the URL.
    • Skip this step and provide the Entity ID, ACS URL, and certificates, or all of this information, during the promotion process.
    If you choose to provide a metadata file, the information in the file will display, as shown in this example.
    This example shows what the Select Metadata window might look like after a metadata file is provided.
  2. Click Next.
  3. On the Map Attributes page, map the application attributes to the identity attributes required to fulfill the authentication policy contract in PingFederate. Select identity attributes from the Identity Attribute list or click to add static values in the Static Value field. Click Next.
  4. On the Describe Application page, enter the name of the application and a description in the appropriate fields.
    You are adding this application to PingCentral, so your name will automatically populate the Owners field.
  5. Optional: To add owners, click the Owners field and select additional owners from the list. If the name you are looking for does not display in the list, contact your PingCentral administrator and request that the person be provisioned. Click Next.
  6. Click Save and Close.
    The application displays at the top of the list of applications on the Applications page.
  7. To promote the application to an environment, click the expandable icon associated with the application, select the Promote tab, and click Promote.
  8. Select the environment to which you want to promote the application from the Available Environments list.
    Note:

    If you have the Application Owner role, you cannot promote applications to protected environments, which have shield icons associated with them.

  9. If you provided a metadata file when you added your application to PingCentral, the Promote to Environment window is pre-populated with the information from the other SAML application. Modify this information, as necessary.

    If you did not upload a metadata file, enter the appropriate information in the Entity ID and ACS URL fields, and upload certificates, if required.

    Certificates are required for PingFederate SP connections when:

    • Either of the single logout (SLO) options, IdP-Initiated-SLO or SP-Initiated-SLO, are selected as the SAML profile.
    • Digital signatures are required, and the Signature Policy is set to Require authn requests to be signed when received via the POST or redirect bindings option.
    • Inbound backchannel authentication is configured. For more information, see the following topics in the PingFederate Server Guide:

  10. If encryption is enabled for the connection, click in the Assertion Encryption Certificate field. Select an assertion encryption certificate used for a previous promotion from the list or provide a new one.
    Note: Only whole encryption is currently supported, so if a connection has attributes specified for encryption, the promotion will fail.
  11. Verify that the information displayed in the Promote to Environment window is correct and click Promote.
    PingCentral promotes your application to the designated environment in PingFederate. You will see the new promotion in the History section of the page. If the signature verification certificate used during promotion is available in the PingFederate environment, that certificate is used. If not, a new certificate is created.
  12. To configure the SSO connection, provide the following information to your service provider:
    • The application Entity ID.
    • The SSO endpoint URL. Click View Connection Details to access the Promotion Details window, which displays the SSO endpoint URL.
    • Certificates, if applicable. In the Promotion Details window, click Identity Provider to download the certificate that the identity provider is using to sign the SAML assertion, and the assertion encryption certificate associated with the connection.
      This example shows the Promotion Details page, which contains information regarding the promotion, such as the ACS URL, SSO endpoint URL, and certificates associated with the connection.