• Have a fully created and functional Web Application with federated authentication.
  1. Open the PingFederate Admin console.
  2. Go to System > Server > Protocol Settings.
  3. On the Roles & Protocols tab, select the Enable Service Provider (SP) Role and Support the Following check box, and then select the WS-Federation check box below. Click Save.
  4. Go to Identity Provider > SP Connections. Click Create New.
  5. On the Connection Template tab, click Do Not Use a Template for This Connection. Click Next.
  6. On the Connection Type tab, select the Browser SSO Profiles check box.
    1. From the Protocol list, select WS-Federation.
    2. From the WS-Federation Token Type list, select SAML 1.1. Click Next.
      The Connection Type tab of the PingFederate admin console. The connection template enables browser SSO profiles, WS-Federation protocol, and SAML 1.1 token type.
  7. On the Connection Options tab, keep the default settings. Click Next.
  8. Complete the General Info tab.
    The General Info tab of the PingFederate admin console SP connection configuration. Information filled in for the Connection ID and Connection Name fields.
    1. In the Partner's Realm (Connection ID) field, enter the partner's unique connection identifier.
    2. In the Connection Name field, enter a name for the connection. Click Next.

    The Partner's Realm can be an arbitrary value.

  9. On the Browser SSO tab, click Configure Browser SSO.
  10. Complete the Assertion Lifetime tab.
    1. In the Minutes Before field, enter 15.
    2. In the Minutes After field, enter 15. Click Next.
  11. On the Assertion Creation tab, click Configure Assertion Creation.
  12. On the Identity Mapping tab, click User Principal Name. Click Next.

    Configure the identity claim type on the SharePoint server for different attributes like email address, UPN or common name.

  13. Complete the Attribute Contract tab.
    1. In the Extend the Contract field, enter upn.
    2. From the Attribute Name Format list, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
    3. Click Add, and then click Next.

    The attribute names are case-sensitive. They should match the claim type names configured for the Trusted Identity Provider on the SharePoint server.

  14. On the Authentication Source Mapping tab, add a mapping of your choice. Choose one of the following options.
    • Map New Adapter Instance
    • Map New Authentication Policy
  15. Depending on your choice, from the Authentication Policy Contract list select an authentication policy contract, or from the Adapter Instance list select the adapter instance. Click Next.

    If you do not have an Authentication Policy Contract or an Adapter Instance created, click Manage Authentication Policy Contracts or Manage Adapter Instance and configure the authentication source mapping as needed.

    For more information, see Policy contracts and Manage IdP Adapters in the PingFederate documentation.

  16. On the Mapping Method tab, select Retrieve Additional Attributes From Multiple Data Stores Using One Mapping.
    This selection retrieves the UPN value from an LDAP Data Store.
  17. On the Attribute Sources & User Lookup tab, click Add Attribute Store and select an existing data store under Active Data Store or create a new one.

    For more information, see Data Stores in the PingFederate documentation.

  18. On the LDAP Directory Search tab, enter the base DN details in the Base DN field.
  19. In the attribute list, add userPrincipalName to the list of attributes returned from search. Click Next.
  20. In the Filter field, enter a name for the filter. Click Next.
  21. Click Done.
  22. On the Attribute Contract Fulfillment tab, select the attribute contract source from the Source list, and the value from the Value list for each attribute contract. Click Next.
    The Attribute Contract Fulfillment tab of the PingFederate admin console, from configuring the SP connection.
  23. If necessary, complete the Issuance Criteria tab. Click Next.

    The Issuance Criteria tab is not required to continue.

  24. On the Summary tab, review the information and click Done.
  25. On the Authentication Source Mapping tab, click Next.
  26. On the Summary tab, click Done.
  27. On the Assertion Creation tab, click Next.
  28. On the Protocol Settings tab, click Configure Protocol Settings.
  29. On the Service URL tab, in the Endpoint URL field enter the Endpoint URL. Click Next.
    The PingFederate SP connection configuration protocol settings summary.

    Construct the Endpoint URL by adding /_trust/ at the end of the SharePoint Web Application URL. In order to support multiple web applications on the same connection, see Additional configuration options.

  30. On the Summary tab, click Done.
  31. On the Protocol Settings tab, click Next.
  32. On the Summary tab, click Done.
  33. On the Browser SSO tab, click Next.
  34. On the Credentials tab, click Configure Credentials.
    The PingFederate admin console Summary tab for configuring the SP connection.
  35. On the Digital Signature Settings tab, from the Signing Certificatelist, select your signing certificate.
  36. From the Signing Algorithm list, select the Signing Algorithm. Click Next.
  37. On the Summary tab, click Done.
  38. On the Credentials tab, click Next.
  39. On the Activation & Summary tab, review the connection settings and set the Connection Status to Active. Click Save.