--- title: Protecting PingAccess resources through external IdPs with PingFederate acting as an SP (leveraging FedHub) description: Components component: solution-guides page_id: solution-guides:data_and_application_security_use_cases:htg_protect_pa_resources_pf canonical_url: https://docs.pingidentity.com/solution-guides/data_and_application_security_use_cases/htg_protect_pa_resources_pf.html revdate: February 16, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result: result-4: Result: result-5: Result: result-6: Result: result-7: Result: --- # Protecting PingAccess resources through external IdPs with PingFederate acting as an SP (leveraging FedHub) ## Before you begin **Components** * PingFederate 10.3 * PingAccess 6.3 ## About this task Follow these steps to connect PingFederate as an SP to external IdP and configure an SP connection to bridge the IdP connection for the Federation Hub flow. ## Steps 1. In PingFederate admin console, from **Authentication → Integration → IdP Connections**, click **Create Connection**. 2. Connect and configure PingFederate as the service provider (SP) to your external identity provider (IdP) 3. Create a new authentication policy contract with the attributes needed to be passed to PingAccess. | | | | - | ----------------------------------------------------------------------------- | | | If you have previously integrated PingFederate and PingAccess, bypass step 3. | 1. From **Authentication → Policies → Policy Contracts**, click **Create New Contract**. 2. Configure the **Contract Info** and **Contract Attributes** tabs and then click **Next**. Click **Done**. 4. Create a new IdP connection to the SP. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you created a test SP connection to have PingFederate function as the test IdP, configure the IdP connection to match the SP connection. Otherwise, configure the IdP connection to match your external SP. | 1. From **Authentication → Integration → IdP Connections**, click **Create Connection**. 2. On the **Connection Type** screen, select the **Browser SSO Profiles** checkbox. Click **Next**. 3. On the **Connection Options** screen, select the **Browser SSO** and **OAuth Attribute Mapping** checkboxes. Click **Next**. 4. Configure the **General Info** screen. Click **Next**. 5. On the **Browser SSO** screen, click **Configure Browser SSO**. 6. On the **SAML Profiles** screen, select the **IDP-Initiated SSO** and**SP-Initiated SSO** checkboxes. Click **Next**. 7. On the **User-Session Created** screen, click **Configure User-Session Creation**. ### Result: The **User-Session Creation** window displays. 8. On the **Identity Mapping** screen, select **Account Mapping**. Click **Next**. 9. On the **Attribute Contract** screen, configure the same attributes as Step 3. Click **Next**. 10. On the **Target Session Mapping** screen, click **Map New Authentication Policy**. ### Result: The **Authentication Policy Mapping** window displays. 11. From the **Authentication Policy Contract** menu, select the appropriate contract. Click **Next**. 12. Configure the rest of the Authentication Policy Mapping screens. Click **Done**. ### Result: After clicking **Done**, the system will automatically return you to the **User-Session Creation** screen. 13. Click **Next** and **Done**. ### Result: You return to the **Browser SSO** screen. 14. On the **OAuth Attribute Mapping**tab, click **Map to OAuth via Authentication Policy Contract** and then select the appropriate contact from the **Map to OAuth Via Authentication Policy Contract** list. Click **Next**. 15. Click **Configure Protocol Settings**. ### Result: The **Protocol Settings** screen displays. 16. Configure the **Protocol Settings** tabs and then click **Next**. Click **Done**. ### Result: You automatically return to the Browser SSO tab on the IdP Connection window. 17. On the **Credentials** screen, click **Configure Credentials**. Configure the credentials and then click **Next**. Click **Done**. ### Result: You automatically return to the **Credentials** tab on the **IdP Connection** window. 18. On the **Activation & Summary** screen, click **Save** and then click **Done**. 5. Configure the authentication policy contract mapping. | | | | - | ------------------------------------------------------------ | | | If you are using an existing policy contract, bypass step 5. | 1. Go to **Main → OAuth Server → Authentication Policy Contract Mapping**. 2. Click the**Authentication Policy Contract** drop-down menu and select a policy contract. Click **Add Mapping**. 3. Configure the mapping and then click **Save**. Click **Done**. 6. Configure the access token mapping. 1. From **Applications → OAuth → Access Token Mappings**, map the contract to the access token you are using for PingAccess. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For more information about access token management creation, see [Configuring an access token management instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_access_token_management_instance.html). | 7. From **Authentication → Policies → Policies**, click **Add Policy** and configure a policy to invoke your IdP connection. 8. From **Authentication → Policies → Sessions**, select the **Enable Sessions** checkbox for the session to be saved. | | | | - | ------------------------------------------------------------------------------------------------------------- | | | The **Enable Authentication Sessions for All Sources** checkbox must be selected for the session to be saved. | 9. Click **Save**.