Use Cases

Configuring a SAML application in PingFederate

Configure a SAML application in PingFederate.

Before you begin

Component

  • PingFederate 10.1

Make sure you have the following:

  • A datastore connection

  • A configured password credential validator (PCV)

  • A configured identity provider (IdP) adapter.

  • An IdP digital signing certificate

Steps

  1. In the PingFederate administrative console, go to Applications > Integration > SP Connections.

  2. Click Create Connection.

  3. On the Connection Template tab, click Do not use a template for this connection. Click Next.

  4. On the Connection Type tab, select the Browser SSO Profiles checkbox.

  5. In the Protocol list, select SAML 2.0. Click Next.

  6. On the Connection Options tab, leave the Browser SSO checkbox selected, and then click Next.

  7. On the Import Metadata tab, import service provider (SP) metadata, pull from a URL, or enter the data manually. Click Next.

    In this example, we assume that SP metadata is provided.

  8. On the General Info tab, provide a Connection Name if needed and review the information. Click Next.

    Entity ID and Base URL should be provided by the SP.

  9. On the Browser SSO tab, click Configure Browser SSO.

  10. On the SAML Profiles tab, select the IdP-Intitiated SSO and SP-Initiated SSO checkboxes. Click Next.

  11. On the Assertion Lifetime tab, leave the default entries, and then click Next.

  12. On the Assertion Creation tab, click Configure Assertion Creation.

  13. On the Identity Mapping tab, click Standard. Click Next.

  14. On the Attribute Contract tab, ensure that whatever attributes you need for the SP are defined here. Click Next.

  15. On the Authentication Source Mapping tab, click Map New Adapter Instance.

  16. On the Adapter Instance tab, from the Adapter Instance list, select your previously configured HTML form adapter. Click Next.

  17. On the Mapping Method tab, leave the default selection, and then click Next.

  18. On the Attribute Contract Fulfillment tab, from the Source list for SAML_SUBJECT, select Adapter.

  19. From the Value list, depending on what the SP is expecting, select mail or uid.

  20. Define any other mappings as needed. Click Next.

    You can leverage hard-coded “Text” for sending values to the SP connection.

  21. On the Issuance Criteria tab, click Next.

  22. On the Summary tab, review your entries, and then click Done.

    Screen capture of the IdP Adapter Mapping Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.

  23. On the Authentication Source Mapping tab, click Next.

  24. On the Summary tab, review your entries, and then click Done.

  25. On the Assertion Creation tab, click Next.

  26. On the Protocol Settings tab, click Configure Protocol Settings.

  27. On the Assertion Consumer Service URL tab, ensure you see an entry for your SP based on the metadata that you uploaded. Click Next.

  28. On the Allowable SAML Bindings tab, POST should be selected. Click Next.

  29. On the Signature Policy tab, click Always Sign the SAML Assertion. Click Next.

  30. On the Encryption Policy tab, click None. Click Next.

  31. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Protocol Settings Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.

  32. On the Protocol Settings tab, click Next.

  33. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Browser SSO Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.

  34. On the Browser SSO tab, click Next.

  35. On the Credentials tab, click Configure Credentials.

  36. On the Digital Signature Settings tab, from the Signing Certificate list, select your organization’s default signing certificate that you previously created.

  37. Select the Include the Certificate in the Signature <KeyInfo> Element check-box. Click Next.

  38. On the Summary tab, review your entries, and then click Done.

    Screen capture of the Summary tab. The bottom of the screen capture shows a hyperlink option to Cancel and buttons for Save Draft, Previous, and Done.

  39. On the Credentials tab, click Next.

  40. On the Activation & Summary tab, click the toggle to enable the connection, and then scroll to the bottom and click Save.

    The connection status is enabled when the toggle is green. You must click Save or your work will be lost.

    Screen capture of the Activation and Summary window showing the connection status as enabled.

Next steps

Click on the SP connection that you just created and copy the SSO-URL link. Start a private browsing session and test your connection using the SSO-URL link.