--- title: Federating PingOne and PingFederate description: Link PingOne to PingFederate to log in to PingOne using an account in your PingFederate server. component: solution-guides page_id: solution-guides:single_sign-on_use_cases:htg_federate_p14e_pf canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_federate_p14e_pf.html revdate: December 29, 2022 page_aliases: ["single_sign-on_use_cases:htg_federate_p14e_pf_config_pf.adoc", "single_sign-on_use_cases:htg_federate_p14e_pf_create_cert_p7b.adoc", "single_sign-on_use_cases:htg_federate_p14e_pf_create_idp_p1_metadata.adoc", "single_sign-on_use_cases:htg_federate_p14e_pf_config_sp_pf.adoc", "single_sign-on_use_cases:htg_federate_p14e_pf_export_sp_metadata_endpoint.adoc", "single_sign-on_use_cases:htg_federate_p14e_pf_connect_authn_policy.adoc", "single_sign-on_use_cases:htg_federate_p14e_pf_testing.adoc"] section_ids: components: Components before-you-begin: Before you begin workflow: Workflow configure-pf-p14e-pf-config-pf: Configuring PingFederate about-this-task: About this task steps: Steps result: Result: create-cert-pf-convert-p7b-format: Creating a certificate in PingFederate steps-2: Steps configure-new-idp-p1-download-idp-metadata: Configuring a new IdP in PingOne and downloading the IdP metadata steps-3: Steps configuring-a-new-sp-connection-in-pingfederate: Configuring a new SP connection in PingFederate steps-4: Steps result-2: Result: testing-the-connection: Testing the connection steps-5: Steps adding-the-new-connection-to-an-authentication-policy-in-pingone: Adding the new connection to an authentication policy in PingOne steps-6: Steps testing-the-connection-2: Testing the connection steps-7: Steps --- # Federating PingOne and PingFederate Link PingOne to PingFederate to log in to PingOne using an account in your PingFederate server. ## Components * PingOne * PingFederate 9.3 ## Before you begin * Verify that PingFederate is installed and running. For documentation on configuring PingFederate, see [PingFederate 9.3 Administrator's Manual](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=99). * Verify that PingOne is installed and running. For documentation on configuring PingOne, see [PingOne for Customers Administration Guide](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_getting_started.html). * Verify that OpenSSL is installed on your system. To download OpenSSL, see [OpenSSL Downloads](https://www.openssl.org/source/). ## Workflow Click a box in the following flow diagram to go directly to the instructions for that step.Flow diagram that contains links to seven tasks: Configure , Create a certificate and convert it to .p7b, Configure a new IdP in PingOne and download the IdP metadata, Create a new SP connection in , Export the SP connection metadata and update the SSO endpoint, Add the new connection to an authentication policy in PingOne, and Test the connection. ## Configuring PingFederate ### About this task | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you have already completed the initial PingFederate setup, start at [Creating a certificate in PingFederate](#create-cert-pf-convert-p7b-format). | ### Steps 1. In PingFederate, go to the **PingOne Account** tab and click **No, Set Up Without PingOne for Enterprise** 2. On the **License** tab, click **Choose File** and select your PingFederate license. Click **Next**. 3. On the **Basic Information** tab, enter a name in the **Entity ID** field. Click **Next**. 4. On the **Enable Roles** tab, select `Identity Provider`. Click **Next**. 5. On the **Identity Provider Configuration** tab, click **Begin**. #### Result: The **Directory Configuration** page appears. 6. On the **Connection** tab, enter the values for your directory using the following table as a guide, and then click **Next** and **Done** until you complete the directory configuration. | Parameter | Example Value | | ---------------------- | --------------------------------------------------------- | | **Directory Type** | `Active Directory` | | **Data Store Name** | `ExampleDirectory` | | **Hostname** | `10.102.2.143` | | **Service Account DN** | `CN=Administrator, CN=Users, DC=directoryTest, DC=testDC` | | **Password** | `` | | **Search Base** | `CN=Users, DC=directoryTest, DC=testDC` | | **Search Filter** | `sAMAccountName=${username}` | 7. On the **Administrator Account** tab, enter the credentials for your primary administrator account. 8. Click **Next** and **Done** to complete the PingFederate configuration. ## Creating a certificate in PingFederate ### Steps 1. In PingFederate, go to **Security → Signing & Decryption Keys & Certificates** and click **Create New**. 2. Enter the values for the required fields then click **Next** and **Done**. 3. Locate your certificate and select **Export** from the **Select Action** menu. 4. Go to **Certificate Only → Next → Export**. Note the location of your downloaded certificate on your file system. ## Configuring a new IdP in PingOne and downloading the IdP metadata ### Steps 1. In PingOne, go to **Connections → Identity Providers**, click **[icon: plus, set=fa]Provider**, and then click **SAML**. 2. On the **Create IDP Profile** page, complete the **Name** and **Description** fields. Click **Continue**. 3. On the **Configure PingOne Connection** page, enter a name in the **Entity ID** field and click **Continue**. 4. On the **Configure IDP Connection** page, select **Manually Enter**. 5. Enter a placeholder URL in the **SSO Endpoint** field. 6. In the **IDP Entity ID** field, enter the entity ID that you used in [Configuring PingFederate](#configure-pf-p14e-pf-config-pf). 7. In the **Verification Certificate** section, click **Import** and select the certificate you exported in [Creating a certificate in PingFederate](#create-cert-pf-convert-p7b-format). 8. Click **Continue** and then click **Save & Finish**. | | | | - | ------------------------------------------------------------------------------------- | | | The SSO endpoint will be updated after configuring the SP connection in PingFederate. | 9. On the **Identity Providers** page, expand your new IdP and click the **Pencil** ([icon: pencil, set=fa]) icon. 10. Click the **IDP Configuration** tab and then click **Download Metadata**. ## Configuring a new SP connection in PingFederate ### Steps 1. In PingFederate, go to **SP Connections** and click **Create Connection**. 2. On the **Connection Template** tab, select **Do Not Use a Template for This Connection**. Click **Next** until you reach the **Import Metadata** tab and accept the default values. 3. On the **Import Metadata** tab, click `File` and then click **Choose File**. Select the metadata file you saved in [Configuring a new IdP in PingOne and downloading the IdP metadata](#configure-new-idp-p1-download-idp-metadata) and click **Open**. 4. Click **Next** until you reach the **Browser SSO** tab. 5. Click **Configure Browser SSO**. On the **SAML Profiles** tab, select `IDP-Initiated SSO` and `SP-Initiated SSO`. Click **Next**. 6. On the **Assertion Creation** tab, click **Configure Assertion Creation**. Click **Next** until you reach the **Authentication Source Mapping** tab. 7. On the **Authentication Source Mapping** tab, click **Map New Adapter Instance**. Select `HTML Form Adapter` from the **Adapter Instance** list and click **Next** until you reach the **Attribute Contract Fulfillment** tab. 8. On the **Attribute Contract Fulfillment** tab, select **Adapter** from the **SAML\_SUBJECT Source** list. 9. From the **SAML\_SUBJECT Value**list, select **username**. Click **Next** and **Done** until you complete the assertion creation. 10. On the **Protocol Settings** tab, click **Configure Protocol Settings**. #### Result: On the **Assertion Consumer Service URL** tab, you will see a default endpoint URL generated from the metadata in step 4. If you don't see the default endpoint URL, restart the SP configuration. 11. Click **Next**. 12. On the **Allowable SAML Bindings** tab, clear the **Artifact** and **Soap** checkboxes. Click **Next** and **Done** until you complete the Browser SSO configuration. 13. On the **Credentials** tab, click **Configure Credentials**. 14. From the **Signing Certificate** list, select your certificate from [Creating a certificate in PingFederate](#create-cert-pf-convert-p7b-format) then click **Next**, **Done**, and **Save** to complete the SP connection configuration. ## Testing the connection ### Steps 1. In PingOne, go to **Settings → Environment → Properties** and copy the **Self-Service URL** value. 2. Sign out of PingOne and enter the self-service URL. 3. Click the button to sign on with your new identity provider profile. 4. Enter the credentials of an account in your PingFederate directory and follow the prompts to create a new PingOne user. ## Adding the new connection to an authentication policy in PingOne ### Steps 1. In PingOne, go to **Settings → Authentication → Policies**. 2. Enter a name in the **Policy Name** field. 3. From the **Login** list, select **Login**. 4. Select the **Enable registration** checkbox and select a population from the **Population** list. 5. Click **[icon: plus, set=fa]Add Provider** and select your newly created identity provider. Click **Save**. | | | | - | --------------------------------------------------------------------------- | | | You can also add the new provider to your existing authentication policies. | ## Testing the connection ### Steps 1. In PingOne, go to **Settings → Environment → Properties** and copy the **Self-Service URL** value. 2. Sign out of PingOne and enter the self-service URL. 3. Click the button to sign on with your new identity provider profile. 4. Enter the credentials of an account in your PingFederate directory and follow the prompts to create a new PingOne user.