Page created: 24 Mar 2020 |
Page updated: 17 Aug 2020
After selecting a SAML template, you can apply the template to the application and then promote the application to the appropriate environment for testing.
Prepare to provide the following:
- Name of the application
- A brief, accurate description of your application
- Attribute mapping information, used to map your application attributes to the identity attributes required from the identity provider to verify users' identities
- Entity ID, used to uniquely identify the application and obtained from the service provider
- ACS URL, the application's URL to which SAML assertions from the IdP will be sent after user authentication occurs
- Certificates, if the template you select is based on a PingFederate connection that requires a certificate
On the the Select Metadata window, you can:
If you choose to provide a metadata file, the information in the file will display, as shown in this example.
- Provide a metadata file. Click Choose file to provide the file.
- Provide a URLto the metadata file. Click Or Use URL to provide the URL.
- Skip this step and provide the Entity ID, ACS URL, and certificates, or all of this information, during the promotion process.
- Click Next.
- On the Map Attributes page, map the application attributes to the identity attributes required to fulfill the authentication policy contract in PingFederate. Select identity attributes from the Identity Attribute list or click to add static values in the Static Value field. Click Next.
On the Describe Application page, enter the name of the
application and a description in the appropriate fields.
You are adding this application to PingCentral, so your name will automatically populate the Owners field.
- Optional: To add owners, click the Owners field and select additional owners from the list. If the name you are looking for does not display in the list, contact your PingCentral administrator and request that the person be provisioned. Click Next.
Click Save and Close.
The application displays at the top of the list of applications on the Applications page.
- To promote the application to an environment, click the expandable icon associated with the application, select the Promote tab, and click Promote.
Select the environment to which you want to promote the application from the
Available Environments list.
If you have the Application Owner role, you cannot promote applications to protected environments, which have shield icons associated with them.
If you provided a metadata file when you added your application to PingCentral, the
Promote to Environment window is pre-populated with the information from the other
SAML application. Modify this information, as necessary.
If you did not upload a metadata file, enter the appropriate information in the Entity ID and ACS URL fields, and upload certificates, if required.
Certificates are required for PingFederate SP connections when:
- Either of the single logout (SLO) options, IdP-Initiated-SLO or SP-Initiated-SLO, are selected as the SAML profile.
- Digital signatures are required, and the Signature Policy is set to Require authn requests to be signed when received via the POST or redirect bindings option.
- Inbound backchannel authentication is configured. For more information, see the following topics in the PingFederate Server Guide:
If encryption is enabled for the connection, click in the Assertion
Encryption Certificate field. Select an assertion encryption
certificate used for a previous promotion from the list or provide a new one.
Note: Only whole encryption is currently supported, so if a connection has attributes specified for encryption, the promotion will fail.
Verify that the information displayed in the Promote to
Environment window is correct and click
PingCentral promotes your application to the designated environment in PingFederate. You will see the new promotion in the History section of the page. If the signature verification certificate used during promotion is available in the PingFederate environment, that certificate is used. If not, a new certificate is created.
To configure the SSO connection, provide the following information to your service
- The application Entity ID.
- The SSO endpoint URL. Click View Connection Details to access the Promotion Details window, which displays the SSO endpoint URL.
- Certificates, if applicable. In the Promotion Details
window, click Identity Provider to download the
certificate that the identity provider is using to sign the SAML assertion, and
the assertion encryption certificate associated with the connection.