Any federated identity management service that supports SAML 2.0 can operate as a PingOne for Enterprise identity bridge.
You supply the PingOne for Enterprise connection details to the identity provider (IdP) administrator to configure the identity repository side of the connection, and you use the SAML connection settings supplied by the identity repository administrator to configure the PingOne for Enterprise side of the connection.
You can make the configuration entries manually or use metadata files to upload the information on both the identity repository side and the PingOne for Enterprise side.
-
In PingOne for Enterprise, select the public signing certificate
for your identity bridge. You can choose either:
- Primary Certificate: When you select the primary certificate, the PingOne for Enterprise metadata for download contains both the primary and the renewal certificates.
- Renewal Certificate: When you select the renewal certificate, the PingOne for Enterprise metadata for download contains only the renewal certificate. A renewal certificate is available only thirty days before the expiration of the primary certificate.
PingOne for Enterprise uses this certificate on your behalf to sign SAML assertions sent to your IdP.
-
If you're configuring the identity bridge to support connections to multiple
PingOne for Enterprise accounts, select Enable
Account-Specific Entity ID.
In some cases, your organization may want to configure the identity bridge to support connections to multiple PingOne for Enterprise accounts. A typical scenario is organizations needing distinct connections from a number of divisions or subsidiaries.
PingOne for Enterprise supports these types of multiple connections through the identity bridge setup option Enable account-specific Entity IDs. Choosing this option creates a unique Entity ID based on your PingOne for Enterprise account (Company ID). This custom Entity ID is written to the PingOne for Enterprise metadata file that you download for import to your identity bridge.Note: When changing an existing Entity ID for a PingOne for Enterprise identity repository, you also need to see that this value is changed on the IdP. Otherwise, SSO can be disrupted.To make use of PingOne for Enterprise's account-specific IDs for multiple connections to a single identity bridge instance, your identity bridge needs to support the PingFederate concept of "virtual server IDs". This is an identity bridge feature for aliasing Entity IDs (connection IDs) for use by multiple service provider (SP)s. Using account-specific IDs, PingOne for Enterprise effectively impersonates multiple SPs.
-
A default Entity ID is displayed. You can accept the default value, which is
uniquely-generated PingOne for Enterprise, or click the edit
icon to enter your own Entity ID value.
The Entity ID you enter is validated to ensure that it is unique in PingOne for Enterprise.
-
A default Entity ID is displayed. You can accept the default value, which is
uniquely-generated PingOne for Enterprise, or click the edit
icon to enter your own Entity ID value.
- Optional:
Select Sign the AuthnRequest from PingOne to have PingOne for Enterprise sign connection requests on your behalf.
PingOne for Enterprise uses the public verification certificate you assign to your IdP.
When checked,
AuthnRequestsSigned="true"is added to the PingOne for Enterprisemetadata for download. When unchecked,AuthnRequestsSigned="false"is added. -
In the Signing Algorithmlist, select the algorithm used to
sign both authentication and single logout (SLO) requests.
If you're setting up a new identity bridge, the signing algorithm defaults to the recommended SHA-256.
If you have an existing identity bridge configuration, SHA-1 may be displayed as the default signing algorithm. We recommend you change it to SHA-256.
-
Assign the PingOne for Enterprise connection settings in your
IdP:
- Download the PingOne metadata for import to your IdP:
All of the necessary PingOne for Enterprise connection
information is contained in the metadata.
The PingOne for Enterprise metadata includes the encryption certificate and the primary and renewal certificates or only the renewal certificate if you selected Renewal certificate for the public signing certificate.
- Enter the PingOne for Enterprise connection information
manually in your IdP. The following SAML parameters are required for assignment at
your identity bridge: Note:
You might want to download the PingOne for Enterprise metadata and reference the settings in the metadata file when assigning the parameter settings.
- PingOne Entity ID
- A globally unique name identifying PingOne for Enterprise as a SAML entity.
- Assertion Consumer Service URL
- The Assertion Consumer Service (ACS) URL used by PingOne for Enterprise to receive the AuthnResponse from your identity bridge indicating whether a user has been successfully authenticated for single sign-on (SSO).
- SSO
- Indicates whether SSO is initiated by the SP or by the IdP.
- RelayState
- The target resource used by PingOne for Enterprise to continue SSO to a particular application when initiating SSO from the IdP. If you're using IdP-initiated SSO, you need to include the SaaS ID either in this target resource or in the ACS URL Parameter.
- ACS URL Parameter
- A query parameter added to the Assertion Consumer Service URL to direct PingOne for Enterprise to continue SSO to a particular application when initiating SSO from the identity bridge. If you're using IdP-initiated SSO, you need to include the SaaS ID either here or in the RelayState value.
- Outbound
- The binding for outbound exchanges. Use POST.
- Inbound
- The binding for inbound exchanges. Use Redirect.
- Protocol
- The protocol to use for authentication assertions. Use SAML 2.0.
- Profile
- The method the identity bridge uses to send an assertion to PingOne for Enterprise. POST is the default.
- Request Binding
- The method PingOne for Enterprise uses to request an assertion. Redirect is the default.
- Download the PingOne metadata for import to your IdP:
All of the necessary PingOne for Enterprise connection
information is contained in the metadata.
- Click to download the Signing Certificate and Encryption Certificate.
-
In your IdP, do one of the following:
- Upload or import the PingOne for Enterprise metadata file. The required SAML parameters will be assigned based on the settings in the metadata file.
- Manually assign the SAML parameter settings required for the PingOne for Enterprise connection. Reference the PingOne for Enterprise metadata file, if necessary.
-
In your IdP, select a method to assign the IdP connection settings in PingOne for Enterprise in the next step:
- Export your IdP metadata file for import into PingOne for Enterprise. The metadata must be in UTF-8 format without a byte order mark (BOM).
- Enter the following IdP connection information manually into PingOne for Enterprise. Reference the IdP metadata file, if
necessary.:
- Entity ID
- Uniquely identifies the identity bridge to
PingOne for Enterprise. This identifier is used
in the
Issuerelement of the SAML assertion sent to us by the identity bridge.Note: To ensure against possible identifier conflicts with the idpid, the Entity ID must be unique, unless you're assigning the Entity ID value for a private, managed application (an application that is supplied and configured by a PingOne for Enterprise administrator, rather than by an SP). - SSO Endpoint
- The endpoint at your identity bridge to which PingOne for Enterprise sends AuthnRequests, using the Redirect method you assigned to the Request Binding attribute for your identity bridge.
- Verification Certificate
- The public verification certificate for your identity bridge. PingOne for Enterprise will use this certificate on your behalf to sign SAML assertions. Ensure that your IdP imports and recognizes this verification certificate.
- Secondary Verification Certificate
- A second certificate that PingOne for Enterprise can use to sign SAML assertions on your behalf if verification fails when using your primary certificate. Ensure that your IdP imports and recognizes this verification certificate.
- Single Logout Endpoint
- (Optional) The endpoint URL configured for the identity bridge to which PingOne for Enterprise sends SAML single logout (SLO) requests. The SLO process uses the binding you choose for the Single Logout Binding Type attribute.
- Single Logout Response Endpoint (IdP)
- (Optional) The endpoint (URL) configured for the identity bridge to which PingOne for Enterprise sends SLO responses. If you do not assign a value here, Single Logout Endpoint is also used as the response endpoint. The SLO process uses the binding you choose for the Single Logout Binding Type attribute.
- Single Logout Binding Type
- The binding type determines how the SAML protocol uses another protocol (in this case, HTTP) to transport messages. The SAML SLO process can use either the POST or Redirect methods.
-
In PingOne for Enterprise, assign the IdP connection settings in
PingOne for Enterprise:
- Select to import your IdP connection metadata. The SAML parameters required for the IdP connection will be assigned based on the settings in the metadata file.
- Use the list of connection settings you copied from your identity bridge to enter settings for the PingOne for Enterprise attributes displayed.
- Ensure that the connection settings are correct.
-
Assign the IdP-to-PingOne for Enterprise attribute
mapping.
This assignment maps identity provider attributes to the default attributes used by PingOne for Enterprise dock. This attribute mapping is not used by applications that you add to PingOne for Enterprise. Configure those attribute mappings for each application.
- Optional:
For any of the attribute mappings, configure an advanced mapping.
For instructions, see Creating advanced attribute mappings.
- Click Done.
- Optional:
For any of the attribute mappings, configure an advanced mapping.
- Click Finish.
When you return to Setup > Identity Repository, you see a summary of the settings for your identity bridge.