Protecting PingAccess resources through external IdPs with PingFederate acting as an SP (leveraging FedHub)
Before you begin
Components
-
PingFederate 10.3
-
PingAccess 6.3
About this task
Follow these steps to connect PingFederate as an SP to external IdP and configure an SP connection to bridge the IdP connection for the Federation Hub flow.
Steps
-
In PingFederate admin console, from Authentication → Integration → IdP Connections, click Create Connection.
-
Connect and configure PingFederate as the service provider (SP) to your external identity provider (IdP)
-
Create a new authentication policy contract with the attributes needed to be passed to PingAccess.
If you have previously integrated PingFederate and PingAccess, bypass step 3.
-
From Authentication → Policies → Policy Contracts, click Create New Contract.
-
Configure the Contract Info and Contract Attributes tabs and then click Next. Click Done.
-
-
Create a new IdP connection to the SP.
If you created a test SP connection to have PingFederate function as the test IdP, configure the IdP connection to match the SP connection. Otherwise, configure the IdP connection to match your external SP.
-
From Authentication → Integration → IdP Connections, click Create Connection.
-
On the Connection Type screen, select the Browser SSO Profiles check box. Click Next.
-
On the Connection Options screen, select the Browser SSO and OAuth Attribute Mapping check boxes. Click Next.
-
Configure the General Info screen. Click Next.
-
On the Browser SSO screen, click Configure Browser SSO.
-
On the SAML Profiles screen, select the IDP-Initiated SSO andSP-Initiated SSO check boxes. Click Next.
-
On the User-Session Created screen, click Configure User-Session Creation.
Result:
The User-Session Creation window displays.
-
On the Identity Mapping screen, select Account Mapping. Click Next.
-
On the Attribute Contract screen, configure the same attributes as Step 3. Click Next.
-
On the Target Session Mapping screen, click Map New Authentication Policy.
Result:
The Authentication Policy Mapping window displays.
-
From the Authentication Policy Contract menu, select the appropriate contract. Click Next.
-
Configure the rest of the Authentication Policy Mapping screens. Click Done.
Result:
After clicking Done, the system will automatically return you to the User-Session Creation screen.
-
Click Next and Done.
Result:
You return to the Browser SSO screen.
-
On the OAuth Attribute Mappingtab, click Map to OAuth via Authentication Policy Contract and then select the appropriate contact from the Map to OAuth Via Authentication Policy Contract list. Click Next.
-
Click Configure Protocol Settings.
Result:
The Protocol Settings screen displays.
-
Configure the Protocol Settings tabs and then click Next. Click Done.
Result:
You automatically return to the Browser SSO tab on the IdP Connection window.
-
On the Credentials screen, click Configure Credentials. Configure the credentials and then click Next. Click Done.
Result:
You automatically return to the Credentials tab on the IdP Connection window.
-
On the Activation & Summary screen, click Save and then click Done.
-
-
Configure the authentication policy contract mapping.
If you are using an existing policy contract, bypass step 5. -
Go to Main → OAuth Server → Authentication Policy Contract Mapping.
-
Click theAuthentication Policy Contract drop-down menu and select a policy contract. Click Add Mapping.
-
Configure the mapping and then click Save. Click Done.
-
-
Configure the access token mapping.
-
From Applications → OAuth → Access Token Mappings, map the contract to the access token you are using for PingAccess.
For more information about access token management creation, see Configuring an access token management instance.
-
-
From Authentication → Policies → Policies, click Add Policy and configure a policy to invoke your IdP connection.
-
From Authentication → Policies → Sessions, select the Enable Sessions check box for the session to be saved.
The Enable Authentication Sessions for All Sources check box must be selected for the session to be saved.
-
Click Save.