PingOne uses the SAML protocol to connect to Microsoft Active Directory Federation Services (ADFS).
To configure the identity repository side of the connection, you will need to supply the PingOne SAML connection settings to your ADFS administrator. To configure the PingOne side of the connection, the ADFS administrator will need to supply you with the ADFS SAML connection settings. We recommend using metadata files to update these settings, although you can configure the settings manually.
- Go to Connect to an Identity Repository, and select Microsoft ADFS. , click
- Click Next.
- From the Choose Signing Certificate list, select the signing certificate for PingOne to use to sign SAML assertions sent to ADFS.
Click Download PingOne Metadata.
The PingOne metadata includes all of the necessary PingOne connection information, including the encryption certificate and the primary and renewal certificates.
- Click Next.
Assign the ADFS SAML connection settings in PingOne:
- Click the Import Your ADFS SAML Connection Metadata
button. Click either Select File or Use
The SAML parameters required for the PingOne side of the connection will be automatically assigned based on the settings in the metadata.Note: The SAML connection metadata must be in UTF-8 format without a byte order mark (BOM).
- Manually enter the values for these SAML connection settings used by ADFS:
- Entity ID
- Uniquely identifies the identity bridge to PingOne.
This identifier is used in the Issuer element of the SAML assertion sent
to us by the identity bridge.
Note: To ensure against possible identifier conflicts with the idpid, the Entity ID must be unique, unless you're assigning the Entity ID value for a private, managed application (an application that is supplied and configured by a PingOne for Enterprise administrator, rather than by an SP).
- SSO Endpoint
- The endpoint at your identity bridge to which PingOne sends AuthnRequests (using the Redirect method you assigned to the Request Binding attribute for your identity bridge).
- Verification Certificate
- The public verification certificate for your identity bridge. PingOne will use this certificate on your behalf to sign SAML assertions. Ensure that your IdP imports and recognizes this verification certificate.
- Secondary Verification Certificate
- A second certificate for us to use to sign SAML assertions on your behalf if verification fails when using your primary certificate. Ensure that your IdP imports and recognizes this verification certificate.
- Single Logout Endpoint
- (Optional) The endpoint (URL) configured for the identity bridge to which PingOne sends SAML single logout (SLO) requests. The SLO process uses the binding you choose for the Single Logout Binding Type attribute.
- Single Logout Response Endpoint (IdP)
- (Optional) The endpoint (URL) configured for the identity bridge to which PingOne sends single logout (SLO) responses. If you do not assign a value here, Single Logout Endpoint is also used as the response endpoint. The SLO process uses the binding you choose for the Single Logout Binding Type attribute.
- Single Logout Binding Type
- The binding type determines how the SAML protocol uses another protocol (in this case, HTTP) to transport messages. The SAML single logout (SLO) process can use either the POST or Redirect methods.
- Click the Import Your ADFS SAML Connection Metadata button. Click either Select File or Use URL.
- Click Next.
For each PingOne attribute, enter or select an ADFS attribute to map it to.
Note: For any of the attribute mappings, you can choose to configure an advanced mapping. See Creating advanced attribute mappings for instructions.
This assignment maps identity provider attributes to the default attributes used by the PingOne dock. This attribute mapping is not used by applications that you add to PingOne. Application attributes are mapped in each application.Mapping the PingOne
E-mail Addresses, use the default ADFS claim attribute
- Click Save.