Use Cases

Setting up an authentication flow that includes MFA (PingFederate and PingID)

This configuration creates a service provider (SP) connection with a multi-factor authentication (MFA) flow using PingFederate and PingID.

Components

  • PingFederate 10.1

  • PingID

Creating a password credential validator in PingFederate

Steps

  1. In the PingFederate administrative console, go to System → Data & Credential Stores → Password Credential Validators, and click Create New Instance.

  2. On the Type tab, from the Type list, select Simple Username Password Credential Validator. Complete the remaining required fields, and then click Next.

  3. On the Instance Configuration tab, click Add a New Row to 'Users'. Complete the Username, Password, and Confirm Password fields, and then click Update.

  4. Click Next, and then on the Summary tab, click Done.

  5. In the Password Credential Validators window, click Save.

Creating an HTML adapter that uses the PCV

Steps

  1. Go to Authentication → Integration → IdP Adapters and click Create New Instance.

  2. On the Type tab, from the Type list, select HTML Form IdP Adapter. Complete the remaining required fields, and then click Next.

  3. On the IdP Adapter tab, from the Password Credential Validator list, select the PCV you previously created. Click Update.

  4. Click Next until you reach the Adapter Attributes tab.

  5. On the Adapter Attributes tab, select the Pseudonym check box for the username entry. Click Next until you reach the Summary tab.

  6. On the Summary tab, click Done.

  7. In the Manage IdP Adapter Instances window, click Save.

Downloading the pingid.properties file in PingOne for Enterprise

Steps

  1. In the PingOne for Enterprise admin portal, go to Setup → PingID → Client Integration.

  2. In the Integrate with PingFederate and Other Clients section, click Download.

Creating a PingID adapter in PingFederate

Steps

  1. In the PingFederate administrative console, go to Authentication → Integration → IdP Adapters and click Create New Instance.

  2. On the Type tab, from the Type list, select PingID Adapter 2.6. Complete the remaining required fields, and then click Next.

  3. On the IdP Adapter tab, click Choose File. Select the pingid.properties file, and then click Next.

  4. Click Next until you reach the Adapter Attributes tab.

  5. On the Adapter Attributes tab, select the Pseudonym check box for the subject entry. Click Next.

  6. Click Next until you reach the Summary tab, and then click Done.

  7. In the Manage IdP Adapter Instances window, click Save.

Creating an authentication policy contract

Steps

  1. Go to Authentication → Policies → Policy Contracts and click Create New Contract.

  2. On the Contract Info tab, in the Contract Name field, enter a name.

  3. Click Next until you reach the Summary tab, and then click Done.

  4. In the Authentication Policy Contracts window, click Save.

Creating an SP connection

Steps

  1. Go to Applications → Integration → SP Connections and click Create Connection.

  2. Click Next until you reach the Connection Type tab.

  3. On the Connection Type tab, select the Browser SSO Profiles check box. Click Next until you reach the General Info tab.

  4. On the General Info tab, in the Partner’s Entity ID field, enter a dummy entity ID. In the Connection Name field, enter a name, and then click Next.

  5. On the Browser SSO tab, click Configure Browser SSO.

  6. On the SAML Profiles tab, select the IdP-Initiated SSO check box only. Click Next until you reach the Assertion Creation tab.

  7. On the Assertion Creation tab, click Configure Assertion Creation. Click Next until you reach the Authentication Source Mapping tab.

  8. On the Authentication Source Mapping tab, click Map New Authentication Policy.

  9. On the Authentication Policy Contract tab, from the Authentication Policy Contract list, select your policy contract. Click Next until you reach the Attribute Contract Fulfillment tab.

  10. On the Attribute Contract Fulfillment tab, from the Source list for the SAML_SUBJECT entry, select Authentication Policy Contract. From the Value list, select subject.

  11. Click Next and Done until you reach the Protocol Settings tab. Click Configure Protocol Settings.

  12. On the Assertion Consumer Service URL tab, enter a number in the Index field. From the Binding list, select POST. In the Endpoint URL field, enter a dummy URL, then click Add.

  13. Click Next and Done until you reach the Credentials tab. Click Configure Credentials.

  14. On the Digital Signature Settings tab, from the Signing Certificate list, select a signing certificate.

  15. Click Next and Done until you reach the Activation & Summary tab. Click Save.

  16. In the SP Connections window, click Save.

Creating an authentication selector

Steps

  1. Go to Authentication → Policies → Selectors and click Create New Instance.

  2. On the Type tab, from the Type list, select Connection Set Authentication Selector. Complete the remaining required fields, and then click Next.

  3. On the Authentication Selector tab, click Add a New Row to 'Connections'. From the Connection list, select your SP connection. Click Update and then Next.

  4. On the Summary tab, click Done. In the Manage Authentication Selector Instances window, click Save.

Creating an authentication policy

Steps

  1. Go to Authentication → Policies → Policies and click Add Policy.

  2. In the Name field, enter a name for the policy.

  3. In the Policy list, from the list, select Selectors.

  4. From the ID column, select the selector from step 7.

  5. Beneath the No list, click Continue.

  6. From the Yes list, select the HTML adapter from step 2.

  7. Beneath the Fail list, click Done.

  8. From the Success list, select the PingID Adapter from step 4.

  9. Beneath your PingID Adapter instance, click Options.

  10. In the Incoming User ID window, from the Source list, select the HTML adapter from step 2. From the Attribute list, select username.

  11. Beneath the Fail list, click Done.

  12. From the Success list, select the policy contract from step 5.

    A screen capture of the Policy section with a completed configuration as described in the preceding steps.
  13. Click Contract Mapping.

  14. On the Contract Fulfillment tab, from the Source list, select your HTML adapter. From the Value list, select username.

  15. Click Next until you reach the Summary tab, and then click Done.

  16. Click Done and then in the Authentication Policies window, click Save.

Testing your connection

Steps

  1. In PingFederate, go to Applications → Integration → SP Connections, and click your SP connection.

  2. On the Activation & Summary tab, verify that the green toggle switch is selected. Click the SSO Application Endpoint link.

  3. Sign on as a user with the credentials created in step 1c.

    Result:

    When a user signs on for the first time, they are prompted to install PingID and register their device. If the user is registered, they are prompted to authenticate using PingID.