Use Cases

Securing your VPN with MFA through PingID

To enable PingID for VPN, use PingFederate Bridge and the PingOne for Enterprise admin portal. This secures your VPN with multi-factor authentication (MFA).

Components

  • PingOne for Enterprise

  • PingFederate Bridge (available through PingOne for Enterprise)

Before you begin

You must have:

  • A PingOne for Enterprise admin portal account

    You can sign up for a free trial of PingOne for Enterprise.

  • An instance of PingFederate Bridge

Enabling PingID for VPN through the PingOne for Enterprise admin portal

About this task

You can enable PingID for VPN through the PingOne for Enterprise admin portal or PingFederate Bridge. To enable PingID VPN through the PingOne for Enterprise admin portal:

Steps

  1. Sign on to the PingOne for Enterprise admin portal.

  2. Click Setup.

  3. Click PingID → Client Integration.

  4. Click Setup PingFederate for PingID.

    Screen capture of the Client Integration tab. At the bottom, two buttons read Generate and Setup for , the latter is highlighted with a red box. The text above reads: Integrate with and Other Clients and Use these properties files to Integrate with external clients such as AD FS, SSH, VPN, Windows Login (servers) or APIs. These files will contain sensitive information such as encryption keys. Two buttons read Download and Revoke. Across the top, the tabs read Configuration, Client Integration, Branding, Device and Pairing, and Policy.

  5. To choose your server platform, follow the on-screen instructions.

  6. To download PingFederate Bridge, follow the on-screen instructions.

  7. To install and configure PingFederate Bridge, follow the on-screen instructions.

    Your Server Domain is your fully qualified domain name (FQDN).

  8. In the PingFederate administrative console, review the license agreement. Click Accept.

  9. In the PingOne for Enterprise admin portal, in theInstall and Configure PingFederate Bridge section, from the Complete Quick Start section, copy the activation key.

    Screen capture of the Complete Quick Start section. The Activation Key field is highlighted with a red box. Below the activation key field reads: To connect to your PingOne account, copy this unique activation key into when prompted. This is a single-use activation key. A new key will be generated for each PingOne session.

  10. In the PingFederate administrative console, click Yes, Connect to PingOne for Enterprise.

  11. In the Activation Key field, paste the activation key you copied from the PingOne for Enterprise admin portal. Click Next.

    Result:

    The PingFederate administrative console displays the Identities section.

  12. Proceed to Configure PingID for VPN with PingFederate Bridge.

Enabling PingID for VPN through PingFederate Bridge

About this task

You can enable PingID for VPN through the PingOne for Enterprise admin portal or PingFederate Bridge.

Steps

  1. Install PingFederate from the Ping Identity Downloads Page.

  2. Start the PingFederate server by running this script: <YOUR PINGFEDERATE DIRECTORY>/pingfederate/bin/run.sh.

  3. Open the PingFederate administrative console.

    1. Open a browser and enter https://Your Server Domain:9999/pingfederate/app.

      Your Server Domain is your fully qualified domain name (FQDN).

    2. To proceed, review the license agreement. Click Accept.

  4. Click Yes, Connect to PingOne for Enterprise.

  5. Click Sign on to PingOne for Enterprise and enter your credentials to sign on.

    Result:

    The admin portal displays the activation key.

  6. Copy the activation key from the PingOne for Enterprise admin portal to your clipboard.

  7. In the PingFederate administrative console, in the Activation Key field, paste the key value.

  8. Click Next.

    Result:

    The PingFederate administrative console displays the Identities section.

  9. Configure PingID for VPN with PingFederate Bridge.

Configuring PingID for VPN with PingFederate Bridge

Steps

  1. From the PingFederate administrative console Identities section, select Yes, Connect a Directory Server.

  2. Enter information in the fields that is appropriate for your directory server.

    Field Description

    Directory Type

    Select the type of directory server from the list.

    Data Store Name

    Enter the name of the datastore.

    Hostname

    Enter the fully qualified domain name (FQDN) for your directory server.

    Service Account DN

    Enter the distinguished name (DN) of the service account that PingFederate can use to communicate with the directory server.

    Password

    Enter the password associated with the service account.

    Search Base

    Enter the DN of the location in the directory where PingFederate begins its datastore queries.

    Search Filter

    Specify how the username provided by a user at login is mapped to an attribute in your directory.

    The default value is either sAMAccountName=${username} or uid=${username}, depending on the selected directory type.

    If you require a more advanced search filter, enter the value in the following format: <Your attribute Name>=${username}. For more information, consult your directory administrators.

  3. Click Next.

    If your directory server is SSL-enabled and presents an untrusted certificate, PingFederate prompts you to upload the server’s certificate. Click Choose Certificate, select the appropriate certificate, and click Next.

  4. In the Use Cases section, select the PingID VPN (RADIUS) check box. Click Begin.

  5. In the Basic Settings section, configure the basic settings:

    1. In the Client IP field, enter the IP address of the VPN server.

    2. In the Client Shared Secret field, enter the secret shared between the VPN server and PingFederate Bridge.

    3. Verify that the Validate with LDAP check box is selected.

    4. In the PingID Username Attribute field, enter the value you entered in the Search Filter field in step 2.

      The integrated RADIUS server listens on port 1812 by default.

  6. Click Next.

  7. In the Provisioning section, the Configure Provisioning check box should be unselected. Click Next.

  8. In the Summary section, review your configuration. Click Done.

  9. Click Next.

  10. In the Basic Information section, in the Base URL field, enter https://Your Server Domain:9031.

    Your Server Domain is your fully qualified domain name (FQDN).

  11. Click Next.

  12. To apply the configuration to PingFederate Bridge, click Next.

  13. Click Done.

Result

PingID for VPN is enabled in PingFederate Bridge for use.

For more information on configuring your VPN client/server settings, see Integrate PingID with your VPN/Remote access system.