pingfederate (sp-initiated) integration guide
TRANSCRIPT
PingFederate (SP-initiated) integration guideIntroductionUse this guide to enable Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to PingFederate.
PrerequisitesPing Federate Administrator AccountSecureAuth IdP version 9.1 or later, with a realm ready for the PingFederate integration
SecureAuth IdP Web Admin configuration steps1. Log on the SecureAuth IdP Web Admin console and find the new realm to be used for the PingIdentity integration.
Data tab
2. In the Profile Fields section, ensure the Membership Connection is set correctly, and map the directory field that contains the user's email address ("Email 1" field, for example) to the correct SecureAuth IdP property.
Post Authentication tab
You can choose to map additional fields as SAML attributes, if necessary.
3. In the Post Authentication section, select the option from the Authenticated User Redirect dropdown.SAML 2.0 (SP Initiated) Assertion
4. If required, upload a customized post authentication page using the Upload a Page field.
5. In the User ID Mapping section, make these field selections:
Fields Description/Recommendations
User ID Mapping Select the SecureAuth IdP property that corresponds to the Profile Field value (see 1). In this case, it is Figure Email 1
Name ID Format Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Encode to Base64 Select False
An example of these settings is shown below.
6. In the SAML Assertion / WS Federation section, make these changes in the following fields:
Fields Description/Recommendations
WSFed/SAML Issuer
Set to any value, typically in the form https://<IssuerName>.com
SAML Consumer URL
Set to the appropriate value found in PingFederate. Typically, this value is the application's FQDN with a fixed path extension, such as: https://<FQDN>/sp/ACS/saml2.
NOTE: This value is located in the hyperlink, which is in the Federation Info section on the Protocol Endpoints Server tab.Configuration
SAML Recipient Set to the same value as designated for the SAML Consumer URL field.
SAML Audience Set to the same value as the on PingFederate.SAML 2.0 Entity ID
NOTE: This value must differ from the user inputs value for the WSFED/SAML Issuer field and is located in the Federation Info section on the tab.Server Configuration
7. Provide other settings, as necessary:
Fields Description/Recommendations
SP Start URL This field is not mandatory to enable SSO and to redirect users appropriately to access SecureAuth. In case the user needs to include it, this URL value is the same as the start site for the SP Application.
For example: http:<FQDN>:<portNumber>/sp/ startSSO.ping?PartnerSpId=SAMLIssuer
SAML Offset Minutes Set to 5 minutes to make up for time differences between devices.
SAML Valid Hours Set the to 1 hour to limit for how long the SAML assertion is valid.
WS-Fed Signing Algorithm / SAML Signing Algorithm
Set both to SHA1
An example of the SAML Assertion / WS Federation section is shown below.
8. Scroll down to the end of this section and provide these field values.
Fields Description/Recommendations
Sign SAML Assertion Set to False
Sign SAML Message Set to True
Encrypt SAML Assertion Set to False
An example of these SAML fields is shown below.
9. Leave the Signing Cert Serial Number field as the default value, unless there is a third-party certificate being used for the SAML assertion.
NOTE: If using a third-party certificate, click and choose the appropriate certificate. Select Certificate
10. If required, scroll down to the Forms Auth/SSO Token section, then click the link to configure the View and Configure FormsAuth keys / SSO tokentoken/cookie settings and to configure this realm for SSO, as shown in the image below.
11. Click once the configuration is complete and before leaving the Post Authentication page.Save
PingFederate configuration stepsFollow these steps to configure PingFederate for use with SecureAuth IdP.
1. From the left pane of the PingFederate main menu, click the tab. A screen as the image below appears.SP Configuration
2. Under the IDP CONNECTIONS section, click the link to start the IdP Connector wizard and create a new IdP connection.Create New
3. Check the box and the Protocol of SAML 2.0 is auto-selected as shown in the image below.Browser SSO Profiles
4. Click . The Connection Options page appears.Next
5. Check the box, then click .Browser SSO Next
The Metadata URL page appears.
6. Click to skip the Metadata URL section. The General Info page appears.Next
7. In the Partners Entity ID text box, enter the correct value.
This value must be the same as the value entered in the WS-Fed / SAML Issuer field on the Post Authentation tab in SecureAuth IdP. In the image above, this value is , the same value specified in step 6 of the SecureAuth IdP Configuration Steps. SAMLIssuer
8. In the Connection Name text box, enter any name required.
9. Click . The Browser SSO page appears.Next
10. Click .Configure Browser SSO
11. Under the SAML Profiles tab, check both and as shown in the image below, then click .IDPInitiatedSSO SPInitiatedSSO Next
The User-Session Creation page appears.
12. Click . The Protocol Settings page appears.Next
13. Click . The SSO Service URLs tab of the Protocol Settings page appears.Configure Protocol Settings
14. On the SSO Service URLs tab, ensure that the only two bindings are: and and that the Endpoint URL maps to the correct SecureAuth Redirect SOAPIdP realm. (In the sample image above, it is realm .)SecureAuth39
15. Click when completed. The Allowable SAML Bindings tab appears.Next
16. Check the box, then click twice. The Signature Policy tab appears.POST Next
17. Click to select the radio button, then click . The Encryption Policy tab appearsUse SAML Standard Requirements Next .
18. Click the radio button, then click . The Summary tab appears.None Next
19. Verify all the settings on this tab, then click . The Protocol Settings page reappears as in the sample image below.Done
20. Click . The Browser SSO Summary page appears.Next
21. Ensure all the settings are correct, then click . The Browser SSO page reappears.Done
22. Click . The Credentials page appears.Next
23. Click . The Signature Verification Settings tab appears.Configure Credentials
24. Click . The Trust Model tab page appears.Manage Signature Verification Settings
25. Click to select the radio button, then click . The Signature Verification Certificate tab appears.Unanchored Next
26. From the Primary pick list, select the SecureAuth IdP certificate.
NOTE: If no certificate appears in the pick list, click and import the appropriate SecureAuth IdP certificate.Manage Certificates
27. Once the thumb print of the certificate appears, click . The Summary tab appears.Next
28. When satisfied, click . The Signature Verification Settings tab reappears.Done
29. Click . The Credentials Page reappears.Next
1. 2. 3.
30. Verify all the settings and make appropriate edits if necessary, then click .Done
31. Click twice to move to the Activation & Summary page. Next
32. Ensure Connection Status is set to Active and that all the other configuration values you specified are correctly displayed, then click .Save
Test the configurationTo test this configuration, perform these steps:
Open Firefox browser and download SAML Tracer.Enter the SP Start URL.Check to see if the SP Start URL is redirected to SecureAuth IdP.
4. Enter the credentials (username and password) on the SecureAuth IdP page. The user should be authenticated successfully into the application.