Creating a new SP connection in PingFederate
About this task
There are three main contract attributes you need to define in the SP configuration:
The AWS metadata URL (https://signin.aws.amazon.com/static/saml-metadata.xml) includes these attributes and will simplify making the SP connection in PingFederate.
Steps
-
Log in to the PingFederate Administration console.
-
In the SP Connections section of the Identity Provider tab, click Create New.
-
Select Browser SSO Profiles. Click Next.
-
On the Connection Options tab, select the Browser SSO check box and click Next.
-
On the Import Metadata tab, select
URL
, Manage Partner Metadata URLs, then Add New URL. -
Add the AWS metadata URL (https://signin.aws.amazon.com/static/saml-metadata.xml), then click Next. Click Save.
-
Select the AWS metadata URL from the Metadata URL list on the Import Metadata tab and then click Load Metadata. Click Next.
-
On the General Info tab, name your connection in the Connection Name field. Click Next.
-
On the Browser SSO tab, click Configure Browser SSO. Select the IDP-Initiated SSO and SP-Initiated SSO check boxes and click Next until you reach the Assertion Creation tab. Click Configure Assertion Creation.
-
On the Attribute Contract tab, select
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
from the Subject Name Format list forSAML_SUBJECT
. Click Next.There are several extra attributes included in the AWS metadata URL (such as
urn:oid:1.3.6.1.4.1.5923.1.1.1.1
). These attributes are not required and can be deleted on the Attribute Contract tab. -
On the Authentication Source Mapping tab, click Map New Adapter Instance.
-
Select your adapter instance and click Next until you reach the Attribute Contract Fulfillment tab.
-
On the Attribute Contract Fulfillment tab, select
Text
from the SAML_SUBJECT Source list and in the SAML_SUBJECT Value field, enternull
. -
Select
Text
from the https://aws.amazon.com/SAML/Attributes/Role Source field and in the https://aws.amazon.com/SAML/Attributes/RoleValue
field, enter the value using the following example:arn:aws:iam::<your AWS instance number>:role/<your Role you created in AWS>,arn:aws:iam::<your AWS instance number>:saml-provider/<your SAML Provider you created in AWS>
-
Select
Adapter
from the https://aws.amazon.com/SAML/Attributes/RoleSessionName Source list and selectusername
from the Value list. Click Next and Done until you complete the IdP Adapter Mapping. -
Click Next. Click Done to complete the Assertion Creation configuration.
-
On the Protocol Settings tab, click Configure Protocol Settings.
-
On the Allowable SAML Bindings tab, clear the
Artifact
andSoap
check boxes and then click Next and Done until you complete the Protocol Settings configuration. -
Click Next then Done to complete the Browser SSO configuration.
-
On the Credentials tab, click Configure Credentials and then select a signing certificate from the Signing Certificate list. Click Done.
-
Click Save on the Activation and Summary tab to complete the SP connection configuration.