Configuring a SAML application - PingOne Cloud Platform - PingFederate - PingOne - PingOne for Enterprise

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

Configure a SAML application in PingFederate, PingOne, and PingOne for Enterprise.

Click the following tabs to see instructions for each product.

Configuring a SAML application in PingFederate

Configure a SAML application in PingFederate.

Component

  • PingFederate 10.1

Make sure you have the following:

  • A data store connection
  • A configured password credential validator (PCV)
  • A configured identity provider (IdP) adapte.
  • An IdP digital signing certificate
  1. In the PingFederate administrative console, go to Applications > Integration > SP Connections.
  2. Click Create Connection.
  3. On the Connection Template tab, click Do not use a template for this connection. Click Next.
  4. On the Connection Type tab, select the Browser SSO Profiles check box.
  5. From the Protocol list, select SAML 2.0. Click Next.
  6. On the Connection Options tab, leave the Browser SSO check-box selected, and then click Next.
  7. On the Import Metadata tab, import service provider (SP) metadata, or pull from a URL, or enter the data manually. Click Next.

    In this example, we are assuming that there is SP metadata provided.

  8. On the General Info tab, provide a Connection Name if needed and review the information. Click Next.
    Note:

    Entity ID and Base URL should be provided by the SP.

  9. On the Browser SSO tab, click Configure Browser SSO.
  10. On the SAML Profiles tab, select the IdP-Intitiated SSO and SP-Initiated SSO check boxes. Click Next.
  11. On the Assertion Lifetime tab, leave the default entries, and then click Next.
  12. On the Assertion Creation tab, click Configure Assertion Creation.
  13. On the Identity Mapping tab, click Standard. Click Next.
  14. On the Attribute Contract tab, ensure that whatever attributes you need for the SP are defined here. Click Next.
  15. On the Authentication Source Mapping tab, click Map New Adapter Instance.
  16. On the Adapter Instance tab, from the Adapter Instance list, select your previously configured HTML form adapter. Click Next.
  17. On the Mapping Method tab, leave the default selection, and then click Next.
  18. On the Attribute Contract Fulfillment tab, from the Source list for SAML_SUBJECT, select Adapter.
  19. From the Value list, depending on what the SP is expecting, select mail or uid.
  20. Define any other mappings as needed. Click Next.

    You can leverage hard-coded “Text” for sending values to the SP connection.

  21. On the Issuance Criteria tab, click Next.
  22. On the Summary tab, review your entries, and then click Done.

    Screen capture of the IdP Adapter Mapping Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  23. On the Authentication Source Mapping tab, click Next.
  24. On the Summary tab, review your entries, and then click Done.
  25. On the Assertion Creation tab, click Next.
  26. On the Protocol Settings tab, click Configure Protocol Settings.
  27. On the Assertion Consumer Service URL tab, ensure you see an entry for your SP based on the metadata that you uploaded. Click Next.
  28. On the Allowable SAML Bindings tab, POST should be selected. Click Next.
  29. On the Signature Policy tab, click Always Sign the SAML Assertion. Click Next.
  30. On the Encryption Policy tab, click None. Click Next.
  31. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Protocol Settings Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  32. On the Protocol Settings tab, click Next.
  33. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Browser SSO Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  34. On the Browser SSO tab, click Next.
  35. On the Credentials tab, click Configure Credentials.
  36. On the Digital Signature Settings tab, from the Signing Certificate list, select your organization’s default signing certificate that you previously created.
  37. Select the Include the Certificate in the Signature <KeyInfo> Element check-box. Click Next.
  38. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.
  39. On the Credentials tab, click Next.
  40. On the Activation & Summary tab, click the toggle to enable the connection, and then scroll to the bottom and click Save.

    The connection status is enabled when the toggle is green. You must click Save or your work will be lost.


    Screen capture of the Activation and Summary window showing the connection status as enabled.

Click on the SP connection that you just created and copy the SSO-URL link. Start a private browsing session and test your connection using the SSO-URL link.

Configuring a SAML application in PingOne

Configure a SAML application in PingOne.

In the following configuration, values will vary depending on the identity provider (IdP) requirements.

  1. In the PingOne dashboard, go to Connections > Identity Providers.
  2. Click +Add Provider.
  3. Click SAML.
  4. On the Profile tab, complete the following:
    1. In the Name field, enter a unique identifier for the IdP.
    2. Optional: In the Description field, enter a brief characterization of the IdP.
    3. Optional: In the Icon field, upload an image to represent the IdP.

      Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.

    4. Optional: In the Login button field, upload an image to be used for the login button that the end user will see.
    Screen capture of the Profile tab and the corresponding fields. In this screen capture, the IdP being configured is Salesforce Dev.
  5. Click Continue.
  6. On the P1 Connection tab, complete the following:
    1. In the PingOne (SP) Entity ID field, enter the entity ID for the service provider (SP).

      This is used as the issuer when PingOne sends a request to the external IdP. The IdP can also use this value to ensure that requests from the SP are valid. By default, this ID is based on the value you entered in the Name field.

    2. In the Signing Certificate field, specify the SP's signing certificate.
    3. In theSign AuthN request field, specify whether the SAML authentication request will be signed when sending it to the IdP.
    Screen capture of the P1 Connection tab and the corresponding fields for the Salesforce Dev IdP being configured.
  7. Click Continue.
  8. On the IDP Connection tab, complete the following:
    1. In the SSO Endpoint field, specify the single sign-on (SSO) endpoint for the authentication request.

      Only authentication requests can be sent to the SSO endpoint.

    2. In the IDP Entity ID field, enter the IdP's entity ID.
    3. In the SSO Binding section, specify the binding to use for the authentication request.
    4. In the Verification Certificate section, import a certificate from your local file system, or select a certificate that has already been imported.

      This specifies the IdP's certificate ID used to verify the signature on the signed assertion from the IdP. Signing is done with a private key and verified with a public key.

    Screen capture of the IDP Configuration tab and the corresponding fields for the Salesforce Dev IdP being configured.
  9. Click Continue.
  10. On the Attributes tab, in the Map Attributes section, define how the PingOne user attributes are mapped to SAML attributes.
    1. Select an attribute from the PingOne User Profile Attribute list.
    2. In the SAML Attribute field, enter the equivalent SAML attribute.
    3. From the Update Condition list, select the update condition .

      This determines how PingOne updates its user directory with the values from the SAML provider. The options are:

      • Empty only - Update the PingOne attribute only if the existing attribute is empty.
      • Always - Always update the PingOne directory attribute.
    Screen capture of the Attributes tab and the corresponding fields for the Salesforce Dev IdP being configured.
  11. Click Save and Finish.

Configuring a SAML application in PingOne for Enterprise

Configure a SAML application in PingOne for Enterprise.

If you do not have the service provider's (SP) single sign-on (SSO) URL for the application, generally a SAML application that already exists in your organization, you must configure the necessary SAML settings for the application to add it to PingOne for Enterprise.

  1. In the PingOne for Enterprise dashboard, go to Applications > My Applications > SAML.
  2. Click Add Applications > New SAML Application.
  3. In the Application Details section, complete the following required fields:
    • Application Name
    • Application Description
    • Category
    Screen capture of the Application Details section and the corresponding fields. Required fields are defined by a small red asterisk to the right of the field. In addition to the required fields of Application Name, Application Description, and Category, there is a field for Graphics. The bottom of the screen capture includes text that the next step is Application Configuration along with the Cancel and Continue to Next Step buttons.
  4. Click Continue to Next Step.
  5. In the Application Configuration section, provide the SAML configuration details for the application.
    1. From the Signing Certificate list, select the signing certification you want to use.
    2. In the SAML Metadatafield, click Download to retrieve the SAML metadata for PingOne for Enterprise.

      This supplies the PingOne for Enterprise connection information to the application.

    3. In the Protocol Version field, select the SAML protocol version appropriate for your application.
    4. In the Upload Metadata section, click Choose File to upload the application's metadata file.
      Note:

      The ACS URL and Entity ID will then be supplied for you. If you don’t upload the application metadata, you’ll need to enter this information manually. When manually assigning an entity ID, the value must be unique unless you are assigning the entity ID value for a private managed application, an application that is supplied and configured by a PingOne for Enterprise administrator, rather than an SP.

      When applications are supplied by an SP, entity ID values are required to be unique to ensure against possible identifier conflicts with the IdP ID for the application.

    5. In the Application URL field, enter an appropriate URL.

      This is required by some applications as the target URL. It is used in IdP-initiated SSO for a deep-linking purpose. The application URL is passed in the RelayState parameter by the IdP.

    6. In the Single Logout Endpoint field, enter the URL to which the service will send the SAML single logout (SLO) request using the Single Logout Binding Type that you select.
    7. In the Single Logout Response Endpoint field, enter the URL to which your service will send the SLO response.
    8. In the Single Logout Binding Type field, select the binding type, Redirect or POST, to use for SLO.
    9. In the Primary Verification Certificate field, click Choose File to upload the primary public verification certificate to use for verifying the SP signatures on SLO requests and responses.
    10. In the Secondary Verification Certificate field, click Choose File to upload the secondary verification certificate if available.

      The secondary verification certificate is used if the primary verification certificate fails to validate a signature.

    11. Select the Encryption Assertion check box.

      If selected, the assertions PingOne for Enterprise sends to the SP for a multiplexed application will be encrypted. You can also use this option for your managed applications. Available for SAML 2.0 applications only.

      Selecting this option displays the information needed to encrypt the assertion:

      • Encryption Certificate - Upload the certificate to use to encrypt the assertions.
      • Encryption Algorithm - Choose the algorithm to use for encrypting the assertions. We recommend AES_256 (the default), but you can select AES_128 instead.
      • Transport Algorithm - The algorithm used for securely transporting the encryption key. Currently, RSA-OAEP is the only transport algorithm supported.
      Note:

       If an encryption certificate is included in the metadata you upload, this option is automatically enabled. The entry for Encryption Certificate will show the name of the certificate and the entry for Encryption Algorithm will be set to AES_256.

    12. In the Signing field, select either to sign the SAML assertion or to sign the SAML response.

      If the Encryption Assertion check box has been selected, choose to sign the response. This provides a significant increase in security.

    13. From the Signing Algorithm list, select the desired algorithm, or use the default value.
    14. Select the Force Re-authentication check box.

      If selected, users having a current, active SSO session will be re-authenticated by the identity bridge to establish a connection to this application.

    15. Select the Force MFA check box.

      If selected, users are required to multi-factor authentication (MFA) as defined by your authentication policy each policy each time they access the application. You'll need to have an authentication policy in place to use this setting. For more information, see Create or update an authentication policy.

    Screen capture of the Application Configuration section and the corresponding fields.
  6. Depending on your requirements, complete the remaining entry fields. Click Continue to Next Step.

    The remaining entry fields are optional depending on your requirements.

  7. In the SSO Attribute Mapping section, modify or add any attribute mappings as necessary for the application.

    In most cases, the default attribute mappings are sufficient. These mappings assign your identity repository attributes to the attributes provided by the SP for the application. For each application attribute, you can:

    • Click the Required check box to designate an attribute or attributes as required by the application.
    • In the Application Attribute field, enter an identity repository attribute.
    • In the Identity Bridge Attribute or Literal Value field, select an identity repository attribute from the list.
    • Select the As Literal check box, and then enter a literal value to assign.
    • Click Advanced, and then enter any additional attributes required by the application. You then have all of the choices above when configuring the attribute.
  8. When finished modifying or adding any additional attributes, click Continue to Next Step.
  9. In the Group Access section, make the new application available to your users by assigning the groups authorized to use the application.
    1. Click Add for each group you want to authorize to use the application.

      All members of the selected group or groups will be able to use the application. When the application supports user provisioning, user provisioning to this application is also enabled for members of the assigned groups.

  10. Click Continue to Next Step.
  11. In the Review Setup section, review the application connection information.

    Some of this information might be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne for Enterprise signing certificate or the PingOne for Enterprise SAML metadata, which has the certificate embedded.

  12. Optional: To change any of the configuration settings, click Edit .
  13. Click Finish.
The new SAML application is added to your My Applications list. Go to Users > User Groups to see the application you've added is now authorized for use by the selected group or groups.