Use Cases

Connecting Okta as an IdP through SAML to PingFederate as an SP

This solution provides the steps to configure Okta as an identity provider (IdP) and PingFederate as a service provider (SP) using a SAML 2.0 connection for communications. This process doesn’t address single logout (SLO) or provisioning for either side of the single sign-on (SSO) transaction.

Component

PingFederate 9.1

Process overview

The process for Okta as the IdP using IdP-initiated SSO is:

  1. The user goes to Okta, assuming the user has an existing Okta session.

  2. The user clicks on the Chicklet, which sends a SAML response to the configured SP.

  3. A session is established with the SP.

  4. The user is authenticated.

In SP-initiated SSO, ​the process is:

  1. The user goes to the target SP first. They don’t have a session established with the SP.

  2. The SP redirects the user to the configured sign-on URL, Okta’s generated app instance URL, sending the SAML request.

  3. Okta receives a SAML request, assuming the user has an existing Okta session.

  4. Okta sends a SAML response to the configured SP.

  5. The SP receives the SAML response and verifies that it is correct.

  6. A session is established on the SP side.

  7. The user is authenticated.

Configuring Okta as the IdP

Configure Okta as an identity provider (IdP) and PingFederate as a service provider (SP) using a SAML 2.0 connection.

Before you begin

You must have the following:

  • PingFederate installed and operating with administrator access OS

  • Okta with Workforce Identity Single sign-on, One-App, or Enterprise editions

This task also assumes that you have the following information from the SP:

  • Assertion consumer service (ACS) URL

  • Signing certificate (if required)

About this task

With Okta as the IdP, only a one-to-one IdP to SP entityID relationship is supported. If the SP has more than one application, a new IdP connection with a unique entityID from Okta is required. This behavior can be overridden by Okta.

Steps

  1. Sign on to Okta as an administrator.

  2. Go to Application → Add Application.

  3. On the Add Application page, click Add Application.

  4. On the Create a New Application Integration page, in the Platform list, select Web.

  5. Click SAML 2.0, and then click Create.

  6. On the General Settings tab, in the Create SAML Integration section, enter a name for the application in the App name field. Click Next.

    You can also add a logo and set the app visibility.

  7. On the Configure SAML tab, in the Single Sign on URL field, enter the PingFederate ACS URL.

  8. In the Audience URI field, enter the PingFederate SAML entity ID or connection virtual server ID (VSID).

  9. Optional: In the Attribute Statements (Optional) and Group Attribute Statements (Optional) sections, add attributes from the Okta user store to fulfill the attribute contract with the SP.

  10. Click Next.

  11. Optional: Complete the sections on the Feedback tab.

    The sections on this tab help the Ping Identity support team.

  12. Click Finish.

  13. To obtain the file needed to configure the PingFederate SP, in the Summary window, click the Identity Provider metadata link.

  14. Optional: If you’re creating your own portal, click the General tab, and then copy the App Embed Link.

Result

Okta configuration as the IdP is complete.

Configuring PingFederate as the SP

Configure PingFederate as a service provider (SP) with Okta as an identity provider (IdP) using a SAML 2.0 connection.

Before you begin

You must have the following:

  • PingFederate installed and operating with administrator access OS

  • Okta Enterprise or Enterprise Plus active with administrative access

This task also assumes that you have the following information:

  • A metadata XML file from the Okta IdP that is accessible to the PingFederate console application

  • An adapter configured for the target SP application

Steps

  1. In the PingFederate administrative console, go to Authentication → Integration → IdP Connections, and then click Create Connection.

  2. On the Connection Type tab, select Browser SSO Profiles, and in the Protocol list, select SAML 2.0. Click Next.

  3. On the Connection Options tab, click Next.

  4. On the Import Metadata tab, click File, and then click Choose file.

  5. Go to the Okta IdP metadata file, and then click Open.

  6. Click Next.

  7. On the Metadata Summary tab, click Next.

  8. On the General Info tab, review the Partner’s Entity ID and Connection Name.

    The General Info tab is filled out by the metadata.

  9. If using a virtual server ID (VSID) for this connection instead of the Systems SAML 2.0 entityID, enter it in the Virtual Server IDS field. Click Next.

  10. On the Browser SSO tab, click Configure Browser SSO.

  11. On the SAML Profiles tab, select the agreed upon profiles, at a minimum IdP-Initiated SSO. Click Next.

    Optionally, you can select SP-initiated single sign-on (SSO) and sinigle logout (SLO) if configured for this connection.

  12. On the User-Session Creation tab, click Configure User-Session Creation.

  13. On the Identity Mapping tab, click Account Mapping and then click Next.

  14. On the Attribute Contract tab, add any required attributes for the contract. Click Next.

  15. On the Target Session Mapping tab, click Map New Adapter Instance..

  16. On the Adapter Instance tab, select the previously configured adapter from the Adapter Instance list. Review the adapter contract, and then click Next.

    Optionally, you can click Manage Adapter Instances to create a new adapter that will map the inbound attributes from Okta into the PingFederate connection.

  17. On the Adapter Data Store tab, keep the default selection of Use only the Attributes Available in the SSO Assertion, and then click Next.

  18. On the Adapter Contract Fulfillment tab, map the attributes from the inbound assertion to the connection attributes. Click Next

  19. On the Issuance Criteria tab, click Next.

  20. To complete the adapter configuration, on the Adapter Mapping Summary tab, click Done, and then click Next on the Target Session Mapping tab.

    Result:

    You return to the User-Session Creation tabs.

  21. Review the User-Session Creation Summary tab, and then click Done.

  22. On the User Session Creation tab, click Next.

  23. On the Protocol Settings tab, click Configure Protocol Settings.

    The Protocol Settings tab shows the currently configured values from the metadata.

  24. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata. Click Next.

  25. On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.

  26. Optional: On the Overrides tab, optionally specify a different Target URL and Authorization context. Click Next.

  27. On the Signature Policy tab, use the default selection of SAML Standard where the IdP will sign the response. Click Next.

    This is the Okta default.

  28. On the Encryption Policy tab, keep the default selection of None. Click Next.

  29. On the Protocol Settings Summary tab, review and click Done.

  30. On theProtocol Settings tab, click Next.

  31. On the Browser SSO Summary tab, review the settings and click Done.

  32. On the Browser SSO tab, click Next.

  33. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

    Because you imported metadata, the signing public key from the Okta partner was included.

  34. On the Activation and Summary tab, ensure that the connection is active.

  35. Click Save.

Result

PingFederate SP configuration is complete.

Troubleshooting

You might encounter the following common issues after completing configuration.

SSO attempt looping

Single sign-on (SSO) attempt locking happens if the following items in the Okta configuration aren’t set to the PingFederate assertion consumer service (ACS) endpoint:

  • Recipient

  • Destination

  • Postback URL

PingFederate error in server.log

The following error implies that the entityID used for the Okta connection is incorrect.

Top level error (ref#ftpcge): Unable to lookup idp connection metadata for
entityid='http://www.okta.com/<string>

Check your metadata or check with the Okta account owner to verify the entityID.