Use Cases

Federating PingOne and PingFederate

Link PingOne to PingFederate to log in to PingOne using an account in your PingFederate server.

Components

  • PingOne

  • PingFederate 9.3

Before you begin

Workflow

Click a box in the following flow diagram to go directly to the instructions for that step.Flow diagram that contains links to seven tasks: Configure , Create a certificate and convert it to .p7b, Configure a new IdP in PingOne and download the IdP metadata, Create a new SP connection in , Export the SP connection metadata and update the SSO endpoint, Add the new connection to an authentication policy in PingOne, and Test the connection.

Configuring PingFederate

About this task

If you have already completed the initial PingFederate setup, start at Creating a certificate in PingFederate and converting it to .p7b format.

Steps

  1. In PingFederate, go to the PingOne Account tab and click No, Set Up Without

  2. PingOne for Enterprise.

  3. On the License tab, click Choose File and select your PingFederate license. Click Next.

  4. On the Basic Information tab, enter a name in the Entity ID field. Click Next.

  5. On the Enable Roles tab, select Identity Provider. Click Next.

  6. On the Identity Provider Configuration tab, click Begin.

    Result:

    The Directory Configuration page appears.

  7. On the Connection tab, enter the values for your directory using the following table as a guide, and then click Next and Done until you complete the directory configuration.

    Parameter Example Value

    Directory Type

    Active Directory

    Data Store Name

    ExampleDirectory

    Hostname

    10.102.2.143

    Service Account DN

    CN=Administrator, CN=Users, DC=directoryTest, DC=testDC

    Password

    <Your directory server password>

    Search Base

    CN=Users, DC=directoryTest, DC=testDC

    Search Filter

    sAMAccountName=${username}

  8. On the Administrator Account tab, enter the credentials for your primary administrator account.

  9. Click Next and Done to complete the PingFederate configuration.

Creating a certificate in PingFederate and converting it to .p7b format

Steps

  1. In PingFederate, go to Security → Signing & Decryption Keys & Certificates and click Create New.

  2. Enter the values for the required fields then click Next and Done.

  3. Locate your certificate and select Export from the Select Action menu.

  4. Go to Certificate Only → Next → Export.

    Note the location of your downloaded certificate on your file system.

  5. Open your terminal application and change the directory to the location containing your exported certificate.

  6. To convert your certificate to .p7b format, run openssl crl2pkcs7 -nocrl -certfile <your original certificate filename>.crt -out <your desired new filename>.p7b -outform DER.

  7. Note the location of your new .p7b certificate.

Configuring a new IdP in PingOne and downloading the IdP metadata

Steps

  1. In PingOne, go to Connections → Identity Providers, click Provider, and then click SAML.

  2. On the Create IDP Profile page, complete the Name and Description fields. Click Continue.

  3. On the Configure PingOne Connection page, enter a name in the Entity ID field and click Continue.

  4. On the Configure IDP Connection page, select Manually Enter.

  5. Enter a placeholder URL in the SSO Endpoint field.

  6. In the IDP Entity ID field, enter the entity ID that you used in Configuring PingFederate.

  7. In the Verification Certificate section, click Import and select the certificate you exported in Creating a certificate in PingFederate and converting it to .p7b format.

  8. Click Continue and then click Save & Finish.

    The SSO endpoint will be updated after configuring the SP connection in PingFederate.

  9. On the Identity Providers page, expand your new IdP and click the Pencil () icon.

  10. Click the IDP Configuration tab and then click Download Metadata.

Configuring a new SP connection in PingFederate

Steps

  1. In PingFederate, go to SP Connections and click Create Connection.

  2. On the Connection Template tab, select Do Not Use a Template for This Connection. Click Next until you reach the Import Metadata tab and accept the default values.

  3. On the Import Metadata tab, click File and then click Choose File. Select the metadata file you saved in Configuring a new IdP in PingOne and downloading the IdP metadata and click Open.

  4. Click Next until you reach the Browser SSO tab.

  5. Click Configure Browser SSO. On the SAML Profiles tab, select IDP-Initiated SSO and SP-Initiated SSO. Click Next.

  6. On the Assertion Creation tab, click Configure Assertion Creation. Click Next until you reach the Authentication Source Mapping tab.

  7. On the Authentication Source Mapping tab, click Map New Adapter Instance. Select HTML Form Adapter from the Adapter Instance list and click Next until you reach the Attribute Contract Fulfillment tab.

  8. On the Attribute Contract Fulfillment tab, select Adapter from the SAML_SUBJECT Source list.

  9. From the SAML_SUBJECT Valuelist, select username. Click Next and Done until you complete the assertion creation.

  10. On the Protocol Settings tab, click Configure Protocol Settings.

    Result:

    On the Assertion Consumer Service URL tab, you will see a default endpoint URL generated from the metadata in step 4.

    If you don’t see the default endpoint URL, restart the SP configuration.

  11. Click Next.

  12. On the Allowable SAML Bindings tab, clear the Artifact and Soap check boxes. Click Next and Done until you complete the Browser SSO configuration.

  13. On the Credentials tab, click Configure Credentials.

  14. From the Signing Certificate list, select your certificate from Creating a certificate in PingFederate and converting it to .p7b format then click Next, Done, and Save to complete the SP connection configuration.

Exporting the SP connection metadata in PingFederate and updating the SSO endpoint in PingOne

Steps

  1. In PingFederate go to SP Connections and click Manage All.

  2. For your new connection, from the Select Action list, select Export Metadata.

  3. From the Signing Certificate list, select your signing certificate from Creating a certificate in PingFederate and converting it to .p7b format and then click Next.

  4. On the Export & Summary tab, click Export.

  5. Open the metadata file with a text editor and copy the URL from the Location line.

    Example:Location="https://localhost:9031/idp/SSO.saml2"

  6. In the PingOne administration console, go to Connections → Identity Providers.

  7. Expand your PingFederate connection and click the Pencil () icon.

  8. On the IDP Configuration tab, paste the URL from step 5 into the SSO Endpoint field.

  9. Return to the Identity Provider tab and click the toggle to enable your connection.

Adding the new connection to an authentication policy in PingOne

Steps

  1. In PingOne, go to Settings → Authentication → Policies.

  2. Enter a name in the Policy Name field.

  3. From the Login list, select Login.

  4. Select the Enable registration check box and select a population from the Population list.

  5. Click Add Provider and select your newly created identity provider. Click Save.

    You can also add the new provider to your existing authentication policies.

Testing the connection

Steps

  1. In PingOne, go to Settings → Environment → Properties and copy the Self-Service URL value.

  2. Sign out of PingOne and enter the self-service URL.

  3. Click the button to sign on with your new identity provider profile.

  4. Enter the credentials of an account in your PingFederate directory and follow the prompts to create a new PingOne user.