Federating PingOne and PingFederate
Link PingOne to PingFederate to log in to PingOne using an account in your PingFederate server.
Before you begin
-
Verify that PingFederate is installed and running. For documentation on configuring PingFederate, see PingFederate 9.3 Administrator’s Manual.
-
Verify that PingOne is installed and running. For documentation on configuring PingOne, see PingOne for Customers Administration Guide.
-
Verify that OpenSSL is installed on your system. To download OpenSSL, see OpenSSL Downloads.
Workflow
Click a box in the following flow diagram to go directly to the instructions for that step.
Configuring PingFederate
About this task
If you have already completed the initial PingFederate setup, start at Creating a certificate in PingFederate and converting it to .p7b format. |
Steps
-
In PingFederate, go to the PingOne Account tab and click No, Set Up Without
-
PingOne for Enterprise.
-
On the License tab, click Choose File and select your PingFederate license. Click Next.
-
On the Basic Information tab, enter a name in the Entity ID field. Click Next.
-
On the Enable Roles tab, select
Identity Provider
. Click Next. -
On the Identity Provider Configuration tab, click Begin.
Result:
The Directory Configuration page appears.
-
On the Connection tab, enter the values for your directory using the following table as a guide, and then click Next and Done until you complete the directory configuration.
Parameter Example Value Directory Type
Active Directory
Data Store Name
ExampleDirectory
Hostname
10.102.2.143
Service Account DN
CN=Administrator, CN=Users, DC=directoryTest, DC=testDC
Password
<Your directory server password>
Search Base
CN=Users, DC=directoryTest, DC=testDC
Search Filter
sAMAccountName=${username}
-
On the Administrator Account tab, enter the credentials for your primary administrator account.
-
Click Next and Done to complete the PingFederate configuration.
Creating a certificate in PingFederate and converting it to .p7b format
Steps
-
In PingFederate, go to Security → Signing & Decryption Keys & Certificates and click Create New.
-
Enter the values for the required fields then click Next and Done.
-
Locate your certificate and select Export from the Select Action menu.
-
Go to Certificate Only → Next → Export.
Note the location of your downloaded certificate on your file system.
-
Open your terminal application and change the directory to the location containing your exported certificate.
-
To convert your certificate to
.p7b
format, runopenssl crl2pkcs7 -nocrl -certfile <your original certificate filename>.crt -out <your desired new filename>.p7b -outform DER
. -
Note the location of your new
.p7b
certificate.
Configuring a new IdP in PingOne and downloading the IdP metadata
Steps
-
In PingOne, go to Connections → Identity Providers, click Provider, and then click SAML.
-
On the Create IDP Profile page, complete the Name and Description fields. Click Continue.
-
On the Configure PingOne Connection page, enter a name in the Entity ID field and click Continue.
-
On the Configure IDP Connection page, select Manually Enter.
-
Enter a placeholder URL in the SSO Endpoint field.
-
In the IDP Entity ID field, enter the entity ID that you used in Configuring PingFederate.
-
In the Verification Certificate section, click Import and select the certificate you exported in Creating a certificate in PingFederate and converting it to .p7b format.
-
Click Continue and then click Save & Finish.
The SSO endpoint will be updated after configuring the SP connection in PingFederate.
-
On the Identity Providers page, expand your new IdP and click the Pencil () icon.
-
Click the IDP Configuration tab and then click Download Metadata.
Configuring a new SP connection in PingFederate
Steps
-
In PingFederate, go to SP Connections and click Create Connection.
-
On the Connection Template tab, select Do Not Use a Template for This Connection. Click Next until you reach the Import Metadata tab and accept the default values.
-
On the Import Metadata tab, click
File
and then click Choose File. Select the metadata file you saved in Configuring a new IdP in PingOne and downloading the IdP metadata and click Open. -
Click Next until you reach the Browser SSO tab.
-
Click Configure Browser SSO. On the SAML Profiles tab, select
IDP-Initiated SSO
andSP-Initiated SSO
. Click Next. -
On the Assertion Creation tab, click Configure Assertion Creation. Click Next until you reach the Authentication Source Mapping tab.
-
On the Authentication Source Mapping tab, click Map New Adapter Instance. Select
HTML Form Adapter
from the Adapter Instance list and click Next until you reach the Attribute Contract Fulfillment tab. -
On the Attribute Contract Fulfillment tab, select Adapter from the SAML_SUBJECT Source list.
-
From the SAML_SUBJECT Valuelist, select username. Click Next and Done until you complete the assertion creation.
-
On the Protocol Settings tab, click Configure Protocol Settings.
Result:
On the Assertion Consumer Service URL tab, you will see a default endpoint URL generated from the metadata in step 4.
If you don’t see the default endpoint URL, restart the SP configuration.
-
Click Next.
-
On the Allowable SAML Bindings tab, clear the Artifact and Soap checkboxes. Click Next and Done until you complete the Browser SSO configuration.
-
On the Credentials tab, click Configure Credentials.
-
From the Signing Certificate list, select your certificate from Creating a certificate in PingFederate and converting it to .p7b format then click Next, Done, and Save to complete the SP connection configuration.
Exporting the SP connection metadata in PingFederate and updating the SSO endpoint in PingOne
Steps
-
In PingFederate go to SP Connections and click Manage All.
-
For your new connection, from the Select Action list, select Export Metadata.
-
From the Signing Certificate list, select your signing certificate from Creating a certificate in PingFederate and converting it to .p7b format and then click Next.
-
On the Export & Summary tab, click Export.
-
Open the metadata file with a text editor and copy the URL from the
Location
line.Example:
Location="https://localhost:9031/idp/SSO.saml2"
-
In the PingOne administration console, go to Connections → Identity Providers.
-
Expand your PingFederate connection and click the Pencil () icon.
-
On the IDP Configuration tab, paste the URL from step 5 into the SSO Endpoint field.
-
Return to the Identity Provider tab and click the toggle to enable your connection.
Adding the new connection to an authentication policy in PingOne
Steps
-
In PingOne, go to Settings → Authentication → Policies.
-
Enter a name in the Policy Name field.
-
From the Login list, select Login.
-
Select the Enable registration checkbox and select a population from the Population list.
-
Click Add Provider and select your newly created identity provider. Click Save.
You can also add the new provider to your existing authentication policies.
Testing the connection
Steps
-
In PingOne, go to Settings → Environment → Properties and copy the Self-Service URL value.
-
Sign out of PingOne and enter the self-service URL.
-
Click the button to sign on with your new identity provider profile.
-
Enter the credentials of an account in your PingFederate directory and follow the prompts to create a new PingOne user.