--- title: Setting up PingFederate as a FedHub description: Configuring PingFederate as an identity bridge or FedHub (SAML Chaining) allows you to manage external identities and facilitate access to applications across the enterprise community. component: solution-guides page_id: solution-guides:workforce_use_cases:htg_set_up_pf_as_fedhub canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_set_up_pf_as_fedhub.html revdate: April 14, 2025 page_aliases: ["workforce_use_cases:htg_set_up_pf_as_fedhub_flow.adoc", "workforce_use_cases:htg_set_up_pf_as_fedhub_contract.adoc", "workforce_use_cases:htg_set_up_pf_as_fedhub_sp_connection.adoc", "workforce_use_cases:htg_set_up_pf_as_fedhub_ip_connection.adoc", "workforce_use_cases:htg_set_up_pf_as_fedhub_authn_policy.adoc"] section_ids: component: Component creating-a-service-provider-connection: Creating a service provider connection about-this-task: About this task steps: Steps creating-an-identity-provider-connection: Creating an identity provider connection about-this-task-2: About this task steps-2: Steps creating-an-authentication-policy-in-pingfederate: Creating an authentication policy in PingFederate before-you-begin: Before you begin about-this-task-3: About this task steps-3: Steps result: Result --- # Setting up PingFederate as a FedHub Configuring PingFederate as an identity bridge or FedHub (SAML Chaining) allows you to manage external identities and facilitate access to applications across the enterprise community. ## Component PingFederate 10.3 ## Creating a service provider connection ### About this task Create an SP connection in PingFederate using the policy contract created in the previous task. ### Steps 1. Go to **Applications > Integration > SP Connections** and then click **Create Connection**. 2. On the **Connection Template** tab, select whether to use a template for this connection, and then click **Next**. 3. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox, and in the **Protocol** list, select **SAML 2.0**. Click **Next**. 4. On the **Connection Options** tab, select the option that applies to the connection. Click **Next**. 5. On the **Import Metadata** tab, import metadata from a file or URL if desired. Click **Next**. 6. On the **General Info** tab, complete the **Partner's Entity ID** and **Connection Name** fields. Click **Next**. 7. On the **Browser SSO** tab, click **Configure Browser SSO**, and then select the applicable SSO profiles. Click **Next**. 8. On the **Assertion Lifetime** tab, configure the assertion lifetime. Click **Next**. 9. On the **Assertion Creation** tab, click **Configure Assertion Creation**. 10. On the **Identity Mapping** tab, select the type of name identifier that you will send to the SP, and then click **Next**. 11. On the **Attribute Contract** tab, extend the contract if desired. Click **Next**. 12. On the **Authentication Source Mapping** tab, click **Map New Authentication Policy**. 13. From the **Authentication Policy Contract** list, select the policy contract you created in step 1. Click **Next**. 14. On the **Mapping Method** tab, choose to retrieve additional values from your data stores if desired. Click **Next**. 15. On the **Attribute Contract Fulfillment** tab, from the **Source** list, select **Authentication Policy Contract**. 16. From the **Value** list, select a value from the authentication policy contract and then click **Next**. 17. On the **Issuance Criteria** tab, configure conditional authorization if desired, and then click **Next**. 18. On the **Summary** tab, click **Done**. 19. Click **Next** and **Done** until you reach the **Protocol Settings** tab. Click **Configure Protocol Settings**. 20. On the **Assertion Consumer Service URL** tab, from the **Binding** list, select a binding, and in the **Endpoint URL** field, enter the endpoint URL. Click **Add** and then click **Next**. 21. Click **Next** until you reach the **Credentials** tab, configuring the desired settings. 22. On the **Credentials** tab, click **Configure Credentials**. 23. On the **Digital Signature Settings** tab, from the **Signing Certificate** list, select a signing certificate. Click **Next** and **Done** until you reach the **Activation & Summary** tab. 24. Click **Save**. ## Creating an identity provider connection ### About this task Create an IdP connection in PingFederate using the policy contract created in step 1. Learn more in [Managing IdP connections](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=678) (page 678). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | In this connection, PingFederate will act as the SP, and Company B's single sign-on (SSO) provider will act as the IdP. You must have the IdP metadata or metadata information from Company B's SSO administrator. | ### Steps 1. Go to **Authentication > Integration > IdP Connections** and then click **Create Connection**. 2. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox, and in the **Protocol** list, select **SAML 2.0**. Click **Next**. 3. On the **Connection Options** tab, select the option that apply to the connection. Click **Next**. 4. On the **Import Metadata** tab, import metadata from a file or URL if desired. Click **Next**. 5. On the **General Info** tab, complete the **Partner's Entity ID** and **Connection Name** fields. Click **Next**. 6. On the **Browser SSO** tab, click **Configure Browser SSO**, and then select the applicable SSO profiles. Click **Next**. 7. On the **User-Session Creation** tab, click **Configure User-Session Creation**, and then select **No Mapping**. Click **Next**. 8. On the **Attribute Contract** tab, extend the contract if desired. Click **Next**. 9. On the **Target Session Mapping** tab, click **Map New Authentication Policy**, and from the **Authentication Policy Contract** list, select the policy contract you created in step 1. Click **Next**. 10. On the **Attribute Retrieval** tab, select the type of attribute retrieval, and then click **Next**. 11. On the **Contract Fulfillment** tab, from the **Source** list, select a source to fulfill the policy contract, and from the **Value** list, select a value from the source. Click **Next**. 12. On the **Issuance Criteria** tab, you can configure conditional authorization if desired. Click **Next**, and then on the **Summary** tab, click **Done**. 13. Click **Next** and **Done** until you reach the **Protocol Settings** tab. Click **Configure Protocol Settings**. 14. On the **SSO Service URLs** tab, from the **Binding** list, select a binding. 15. In the **Endpoint URL** field, enter the endpoint URL. Click **Add** and then click **Next**. 16. On the **Allowable SAML Bindings** tab, select which SAML bindings will receive messages from the IdP. Click **Next**. 17. On the **Artifact Resolver Locations** tab, in the **URL** field, enter the remote party URL that you will use to translate the artifact and get the protocol message. Click **Add** and then **Next**. | | | | - | -------------------------- | | | You can add multiple URLs. | 18. On the **Overrides** tab, specify a default target URL and an authentication context if desired. Click **Next**. 19. On the **Encryption Policy** tab, specify additional XML encryption for SAML messages if desired. Click **Next**. 20. On the **Signature Policy** tab, specify additional signature requirements if desired. Click **Next**. 21. Click **Next** and **Done** until you reach the **Credentials** tab. Click **Configure Credentials**. 22. On the **Back-Channel Authentication** tab, ensure that security settings are properly configured for your selected bindings, and then click **Next**. 23. On the **Signature Verification Settings** tab, click **Manage Signature Verification Settings** and follow the on-screen instructions. When you are returned to this tab, click **Next** and then **Done**. 24. Click **Next** and **Done** when you reach the **Activation & Summary** tab. ## Creating an authentication policy in PingFederate ### Before you begin **Component** * PingFederate 10.3 Before creating the policy, you must have an Identifier First Adapter instance and an HTML Form Adapter configured. Learn more in [Configuring an Identifier First Adapter instance](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=312) and [Configuring an HTML Form Adapter instance](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=291). ### About this task Learn more on authentication policies in [Defining authentication policies](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-103.pdf#page=219). ### Steps 1. Go to **Authentication > Policies > Policies**, and then click **Add Policy**. 2. In the **Policy** list, select **IdP Adapters** and then select your Identifier First Adapter instance. 3. Click **Rules** and configure the sign-on flow for users according to the following example. This determines which IdP the user authenticates against. ![A screen capture of the Rules modal showing four columns: Attribute Name, Condition, Value, and Result.](_images/tww1600460722222.png) 4. Configure the authentication policy according to the following example. ![A screen capture of the Policy window. Company A and Company B have different authentication flows, defined by the respective Fail and Success lists. Company A users will sign on with credentials against Company A's data store. Company B users will be redirected to their IdP sign-on page.](_images/wyi1604452822015.png) 5. Click **Done**. ### Result When users from Company B sign-on using their IdP, the IdP sends the assertion to the PingFederate SP endpoint. PingFederate provides the necessary attributes to the IdP endpoints, which are then used to generate an authentication response to Company A's application.