Configuring a SAML application - PingOne for Enterprise - PingFederate - PingOne - PingOne Cloud Platform

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

Configure a SAML application in PingFederate, PingOne, and PingOne for Enterprise.

Click the following tabs to see instructions for each product.

Configuring a SAML application in PingFederate

Configure a SAML application in PingFederate.

Component

  • PingFederate 10.1

Make sure you have the following:

  • A data store connection
  • A configured password credential validator (PCV)
  • A configured identity provider (IdP) adapte.
  • An IdP digital signing certificate
  1. In the PingFederate administrative console, go to Applications > Integration > SP Connections.
  2. Click Create Connection.
  3. On the Connection Template tab, click Do not use a template for this connection. Click Next.
  4. On the Connection Type tab, select the Browser SSO Profiles check box.
  5. From the Protocol list, select SAML 2.0. Click Next.
  6. On the Connection Options tab, leave the Browser SSO check-box selected, and then click Next.
  7. On the Import Metadata tab, import service provider (SP) metadata, or pull from a URL, or enter the data manually. Click Next.

    In this example, we are assuming that there is SP metadata provided.

  8. On the General Info tab, provide a Connection Name if needed and review the information. Click Next.
    Note:

    Entity ID and Base URL should be provided by the SP.

  9. On the Browser SSO tab, click Configure Browser SSO.
  10. On the SAML Profiles tab, select the IdP-Intitiated SSO and SP-Initiated SSO check boxes. Click Next.
  11. On the Assertion Lifetime tab, leave the default entries, and then click Next.
  12. On the Assertion Creation tab, click Configure Assertion Creation.
  13. On the Identity Mapping tab, click Standard. Click Next.
  14. On the Attribute Contract tab, ensure that whatever attributes you need for the SP are defined here. Click Next.
  15. On the Authentication Source Mapping tab, click Map New Adapter Instance.
  16. On the Adapter Instance tab, from the Adapter Instance list, select your previously configured HTML form adapter. Click Next.
  17. On the Mapping Method tab, leave the default selection, and then click Next.
  18. On the Attribute Contract Fulfillment tab, from the Source list for SAML_SUBJECT, select Adapter.
  19. From the Value list, depending on what the SP is expecting, select mail or uid.
  20. Define any other mappings as needed. Click Next.

    You can leverage hard-coded “Text” for sending values to the SP connection.

  21. On the Issuance Criteria tab, click Next.
  22. On the Summary tab, review your entries, and then click Done.

    Screen capture of the IdP Adapter Mapping Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  23. On the Authentication Source Mapping tab, click Next.
  24. On the Summary tab, review your entries, and then click Done.
  25. On the Assertion Creation tab, click Next.
  26. On the Protocol Settings tab, click Configure Protocol Settings.
  27. On the Assertion Consumer Service URL tab, ensure you see an entry for your SP based on the metadata that you uploaded. Click Next.
  28. On the Allowable SAML Bindings tab, POST should be selected. Click Next.
  29. On the Signature Policy tab, click Always Sign the SAML Assertion. Click Next.
  30. On the Encryption Policy tab, click None. Click Next.
  31. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Protocol Settings Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  32. On the Protocol Settings tab, click Next.
  33. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Browser SSO Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  34. On the Browser SSO tab, click Next.
  35. On the Credentials tab, click Configure Credentials.
  36. On the Digital Signature Settings tab, from the Signing Certificate list, select your organization’s default signing certificate that you previously created.
  37. Select the Include the Certificate in the Signature <KeyInfo> Element check-box. Click Next.
  38. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  39. On the Credentials tab, click Next.
  40. On the Activation & Summary tab, click the toggle to enable the connection, and then scroll to the bottom and click Save.

    The connection status is enabled when the toggle is green. You must click Save or your work will be lost.


    Screen capture of the Activation and Summary window showing the connection status as enabled.

Click on the SP connection that you just created and copy the SSO-URL link. Start a private browsing session and test your connection using the SSO-URL link.

Configuring a SAML application in PingOne

Configure a SAML application in PingOne.

In the following configuration, values will vary depending on the identity provider (IdP) requirements.

Note:

Some application settings can only be configured after the application is created. Learn more in Editing an application.

  1. Go to Applications > Applications.
  2. Click the + icon.
  3. Create the application profile by entering the following:
    • Application name: A unique identifier for the application.
    • Description (optional): A brief characterization of the application.
    • Icon (optional): A graphic representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
  4. For Application Type, select SAML Application.
  5. Click Configure and specify the details of the connection between the application and PingOne.

    You can enter the values manually, or import them from a file or URL.

    • Import the configuration details from an XML metadata file. Select Import Metadata. Click Select a File and then select an XML metadata file on your file system. Click Open.

      The configuration values are populated based on the information in the metadata file.

      Note:

      If the metadata file does not specify all the configuration values, you must enter the missing values manually.

    • Import the configuration details from a metadata URL. Select Import from URL. Enter the URL and then click Import.
      Note:

      The URL must be a valid absolute URL.

      The configuration values are populated based on the information from the URL.

    • Enter the configuration details manually. In the ACS URLs field, enter the Assertion Consumer Service (ACS) URLs. You must specify at least one URL, and the first URL in the list is used as the default.

      In the Entity ID field, enter the service provider entity ID used to look up the application. The Entity ID is a required property and is unique within the environment.

  6. Click Save.

After the application is created, you can edit the application settings, configure application policies, and control application access. For more information, see Editing an application - SAML, Applying authentication policies to an application, and Application access control.

Configuring a SAML application in PingOne for Enterprise

Configure a SAML application in PingOne for Enterprise.

If you do not have the service provider's (SP) single sign-on (SSO) URL for the application, generally a SAML application that already exists in your organization, you must configure the necessary SAML settings for the application to add it to PingOne for Enterprise.

  1. In the PingOne for Enterprise dashboard, go to Applications > My Applications > SAML.
  2. Click Add Applications > New SAML Application.
  3. In the Application Details section, complete the following required fields:
    • Application Name
    • Application Description
    • Category
    Screen capture of the Application Details section and the corresponding fields. Required fields are defined by a small red asterisk to the right of the field. In addition to the required fields of Application Name, Application Description, and Category, there is a field for Graphics. The bottom of the screen capture includes text that the next step is Application Configuration along with the Cancel and Continue to Next Step buttons.
  4. Click Continue to Next Step.
  5. In the Application Configuration section, provide the SAML configuration details for the application.
    1. From the Signing Certificate list, select the signing certification you want to use.
    2. In the SAML Metadatafield, click Download to retrieve the SAML metadata for PingOne for Enterprise.

      This supplies the PingOne for Enterprise connection information to the application.

    3. In the Protocol Version field, select the SAML protocol version appropriate for your application.
    4. In the Upload Metadata section, click Choose File to upload the application's metadata file.
      Note:

      The ACS URL and Entity ID will then be supplied for you. If you don’t upload the application metadata, you’ll need to enter this information manually. When manually assigning an entity ID, the value must be unique unless you are assigning the entity ID value for a private managed application, an application that is supplied and configured by a PingOne for Enterprise administrator, rather than an SP.

      When applications are supplied by an SP, entity ID values are required to be unique to ensure against possible identifier conflicts with the IdP ID for the application.

    5. In the Application URL field, enter an appropriate URL.

      This is required by some applications as the target URL. It is used in IdP-initiated SSO for a deep-linking purpose. The application URL is passed in the RelayState parameter by the IdP.

    6. In the Single Logout Endpoint field, enter the URL to which the service will send the SAML single logout (SLO) request using the Single Logout Binding Type that you select.
    7. In the Single Logout Response Endpoint field, enter the URL to which your service will send the SLO response.
    8. In the Single Logout Binding Type field, select the binding type, Redirect or POST, to use for SLO.
    9. In the Primary Verification Certificate field, click Choose File to upload the primary public verification certificate to use for verifying the SP signatures on SLO requests and responses.
    10. In the Secondary Verification Certificate field, click Choose File to upload the secondary verification certificate if available.

      The secondary verification certificate is used if the primary verification certificate fails to validate a signature.

    11. Select the Encryption Assertion check box.

      If selected, the assertions PingOne for Enterprise sends to the SP for a multiplexed application will be encrypted. You can also use this option for your managed applications. Available for SAML 2.0 applications only.

      Selecting this option displays the information needed to encrypt the assertion:

      • Encryption Certificate - Upload the certificate to use to encrypt the assertions.
      • Encryption Algorithm - Choose the algorithm to use for encrypting the assertions. We recommend AES_256 (the default), but you can select AES_128 instead.
      • Transport Algorithm - The algorithm used for securely transporting the encryption key. Currently, RSA-OAEP is the only transport algorithm supported.
      Note:

       If an encryption certificate is included in the metadata you upload, this option is automatically enabled. The entry for Encryption Certificate will show the name of the certificate and the entry for Encryption Algorithm will be set to AES_256.

    12. In the Signing field, select either to sign the SAML assertion or to sign the SAML response.

      If the Encryption Assertion check box has been selected, choose to sign the response. This provides a significant increase in security.

    13. From the Signing Algorithm list, select the desired algorithm, or use the default value.
    14. Select the Force Re-authentication check box.

      If selected, users having a current, active SSO session will be re-authenticated by the identity bridge to establish a connection to this application.

    15. Select the Force MFA check box.

      If selected, users are required to multi-factor authentication (MFA) as defined by your authentication policy each policy each time they access the application. You'll need to have an authentication policy in place to use this setting. For more information, see Create or update an authentication policy.

    Screen capture of the Application Configuration section and the corresponding fields.
  6. Depending on your requirements, complete the remaining entry fields. Click Continue to Next Step.

    The remaining entry fields are optional depending on your requirements.

  7. In the SSO Attribute Mapping section, modify or add any attribute mappings as necessary for the application.

    In most cases, the default attribute mappings are sufficient. These mappings assign your identity repository attributes to the attributes provided by the SP for the application. For each application attribute, you can:

    • Click the Required check box to designate an attribute or attributes as required by the application.
    • In the Application Attribute field, enter an identity repository attribute.
    • In the Identity Bridge Attribute or Literal Value field, select an identity repository attribute from the list.
    • Select the As Literal check box, and then enter a literal value to assign.
    • Click Advanced, and then enter any additional attributes required by the application. You then have all of the choices above when configuring the attribute.
  8. When finished modifying or adding any additional attributes, click Continue to Next Step.
  9. In the Group Access section, make the new application available to your users by assigning the groups authorized to use the application.
    1. Click Add for each group you want to authorize to use the application.

      All members of the selected group or groups will be able to use the application. When the application supports user provisioning, user provisioning to this application is also enabled for members of the assigned groups.

  10. Click Continue to Next Step.
  11. In the Review Setup section, review the application connection information.

    Some of this information might be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne for Enterprise signing certificate or the PingOne for Enterprise SAML metadata, which has the certificate embedded.

  12. Optional: To change any of the configuration settings, click Edit .
  13. Click Finish.
The new SAML application is added to your My Applications list. Go to Users > User Groups to see the application you've added is now authorized for use by the selected group or groups.