Configuring SSO and SCIM for Uber for Business
To set up single sign-on (SSO) for administrators and coordinators in your organization, create an SP connection in PingFederate and then work with your sales manager or business API support agent to enable SSO.
Then, configure PingFederate for System for Cross-domain Identity Management (SCIM) with the service provider (SP) connection that you created.
Before you begin
Ensure that PingFederate is correctly installed and configured. For more information, see the following:
-
Specifying federation information
Ensure that the SAML 2.0 entity ID is specified. This ID is usually defined as an organization’s URL or a DNS address. For example, pingidentity.com.
Configuring SSO
About this task
Start by creating an SP connection in PingFederate.
Steps
-
Go to Applications → SP Connections and click Create Connection.
-
Ensure that Do not use a template for this connection is selected. Click Next.
-
On the Connection Template tab, select Browser SSO Profiles and the SAML 2.0 protocol. Click Next.
-
On the Connection Options tab, ensure that Browser SSO is selected. Click Next.
-
On the Import Metadata tab, ensure that None is selected. Click Next.
-
On the General Info tab, in the Partner’s Entity ID and Connection Name fields, enter
uber.com
. Click Next. -
On the Browser SSO tab, click Configure Browser SSO.
-
On the SAML Profiles tab, select both IdP-Initiated SSO and SP-Initiated SSO. Click Next.
-
On the Assertion Lifetime tab, specify the number of minutes for which the assertion will be valid before and after it’s issued. Click Next.
-
On the Assertion Creation tab, click Configure Assertion Creation.
-
On the Identity Mapping tab, ensure that Standard is selected. Click Next.
-
On the Attribute Contract tab, set SAML_SUBJECT to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
. Click Next.
-
-
On the Authentication Source Mapping tab, select Map New Adapter Instance.
-
On the Adapter Instance tab, click Manage Adapter Instances and then click Create New Instance.
-
On the Type tab, enter a unique name and ID (with no spaces) for the adapter, select HTML Form IdP Adapter from the Type field. Click Next.
-
On the IdP Adapter tab, click Add a new row to Credential Validator, select the type of validator that you use for your datastore from the list, and click Update. Click Next at the bottom of the page.
-
Click Next on the Extended Contract tab.
-
On the Adapter Attributes tab, in the Pseudonym column, select username. Click Next.
-
On the Adapter Contract Mapping tab. Click Next and then click Save at the bottom of the page.
The identity provider (IdP) adapter that you just created displays in the list of available adapters.
-
Click Done.
-
-
On the Adapter Instance tab, select the instance that you just created. Click Next.
-
Ensure that the Use Only the Adapter Contract Values in the SAML Assertion option is selected. Click Next.
-
On the Attribute Contract Fulfillment tab, in the Sourcelist, select Adapter, and in the Value list, select username. Click Next.
-
On theIssuance Criteria tab, clickNext.
-
On the Summary tab, click Done.
-
-
On the Authentication Source Mapping tab, click Next.
-
On the Summary tab, click Done.
-
On the Assertion Creation tab, click Next.
-
On the Protocol Settings tab, click Configure Protocol Settings.
-
In the Binding list, select Post.
-
In the Endpoint URL field, enter
https://auth.uber.com/v2/saml/acs/
. -
Click Add. Click Next.
-
On the Allowable SAML Bindings tab, deselect Artifact and SOAP. Click Next.
-
On the Signature Policy tab and the Encryption Policy tab, click Next.
-
On the Summary tab, click Done.
-
You return to the Browser SSO tab.
-
-
Click Next.
-
On the Credentials tab, click Configure Credentials and select your signing certificate in the Signing Certificate list. Click Next and then click Done.
-
On the Credentials tab, click Next.
-
On the Activation and Summary tab, click Save.
Result:
The SP connection you just created displays in the list of available SP connections.
Configuring SCIM
About this task
Next, configure PingFederate for SCIM using the SP connection that you created:
Steps
-
Download the SCIM Provisioner files and deploy them to your PingFederate directory.
See Deploying the integration files for instructions.
-
In PingFederate, go to the SP Connections page.
-
Select the SP connection that you created for SSO and click the Connection Type tab.
-
Select the Outbound Provisioning option, then in the Typelist, select SCIM Connector. Click Next.
-
Click Next until you reach the Outbound Provisioning tab. Click Configure Provisioning.
-
Create a SCIM app, obtain the SCIM Base URL, and enter it in the SCIM URL field.
See the Custom SCIM app instructions in the Uber Developers Guide for details.
-
In the Authentication Method field, select OAuth 2.0 Bearer Token.
-
In the Access Token field, enter the access token.
Generate this token from your app on developer.uber.com.
-
Click Next.
-
On the Manage Channels tab, create a new channel:
-
In the Channel Namefield, enter a unique name for the channel.
-
In the Source list, select your datastore.
-
In the Source Location field, enter the base DN (CN=Users, DC=domain, DC=com).
-
In the Filter field, enter the filters that you want to use to provision users or groups. For example, you can enter
objectClass=user
to provision all users andobjectClass=groups
to provision all user groups. -
On the Activation and Summary tab, switch the channel to Active.
-
-
Enable SCIM for your organization account on the Uber platform.
See Onboarding to SCIM Provisioning in the Uber Developers Guide for details.