IdentityIQ can integrate with PingFederate through an SP connection. To set up this connection:

  1. In the PingFederate Identity Provider, click Create New to add the SP connection to IdentityIQ.
  2. On the Connection Type tab, ensure Browser SSO Profiles is selected and click Next.
  3. On the Connection Options tab, ensure Browser SSO is selected and click Next.
  4. For Import Metadata, ensure None is selected and click Next.
  5. On the General Info tab, in the Connection Name and Partner's Entity ID fields, enter IdentityIQ..

    Screenshot of PingFederate Identity Provider SP Connection window with entries as described in text.
  6. Click Next.
  7. On the Browser SSO tab, click Configure Browser SSO.
  8. Check SP-initiated SSO and SP-initiated single logout (SLO) if necessary.
  9. Click Next under the Assertion Lifetime.
  10. Click Configure Assertion Creation.
  11. On the Identity Mapping tab, select Standard if the name attribute to send to IdentityIQ is known, otherwise select the required identity mapping.
  12. Under the Attribute Mapping, select the subject name format required for authentication.

    IdentityIQ and PingFederate support the following subject name formats:

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
    • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
    • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
  13. On the Authentication Source Mapping tab, configure the required adapter or authentication policy. The following example uses a simple form adapter. After you configure the adapter, click Next.

    Screenshot of PingFederate Authentication Source Mapping tab with entries as described in text.
  14. Click Configure Protocol Settings.

    Screenshot of PingFederate Identity Provider SP Connection Protocol Settings tab with entries as described in text.
  15. On the Allowable SAML Bindings tab, select POST.
  16. On the Signature Policy tab, select the Always Sign Assertion and Sign Response as Required checkboxes.

    Screenshot of PingFederate Identity Provider SP Connection Signature Policy tab with entries as described in text.
  17. Under Configure Credentials, select the Signing Certificate to sign the SAML assertions as shown below. You must export the Signing Certificate to use it in the IdentityIQ SAML SSO configuration.

    Screenshot of PingFederate Identity Provider SP Connection window Summary tab to verify your entries.
  18. Click Done and Save.