NOTE: The steps provided for how to configure Ping Federate has not been updated recently and some information and screenshots may be out of date.
1. Display name
Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This can be changed later.
2. Prepare IDP
In the prepare step, Copy the Reply URL. You will need this when setting up Ping Federate.
Configure Ping Federate
EXTERNAL
If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.
Open the Ping Federate admin console in a separate browser tab. Press Create New in IdpConfiguration.
Select Connection Template: Browser SSO Profiles PROTOCOL SAML 2.0. Press Next.
Select Browser SSO. Press Next.
Select the desired metadata import option. Press Next.
Review the metadata summary. Press Next.
Under General Info:
Fill in the fields by (if not already imported using metadata)
Entity ID (copy from KSSO prepare step)
Connection Name
Base URL
Press Next
Select Configure Browser SSO. Press Next.
Select wheter you want IDP-initated SSO, SP-Initiated SSO or both. Press Next.
Accept the default assertion lifetime. Press Next.
Select “Configure Assertion Creation”
Select Standard Identity Mapping. Press Next.
Configure Attribute Contract. This step may be skipped if you don’t intend to use Just-in-time provisioning to create user accounts when users log into the Atlassian application
“Extend the contract” with the additional fields from the table below
Extend the tract: | Attribute Name Format |
---|---|
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | |
givenName | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
surname | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
Press Next.
Authentication Source Mapping. Select Map New Adapter Instance.
Adapter Instance:
Choose your preferred Adapter Instance
In this example we create: PingOne HTML Form Adapter
Press Next.
Mapping Method:
Select Use Only The Adapter Contract Values In The SAML Assertion. Press Next.
Attribute Contract Fulfillment:
Select the values for SAML_SUBJECT, email, givenName and surname
Press Next.
Issuance Criteria:
Optionally add Issuance Criteria
Press Next.
IDP Adapter Mapping Summary:
Review the Summary
Press Done.
Assertion Creation
You have now completed Map New Adapter Instance
Select Map New Authentication Policy
Authentication Policy Contract
Choose an already existing Authentication Policy Contract or press Manage Authentication Policy Contracts
In this example we create a new policy contract
Manage Contracts
Select Create New Contract
Contract Info
Give the contract a name
Press Next
Contract Attributes
Extend the contract with the following attributes:
email
givenName
surname
userPrincipalName
After adding the attributes, press Next.
Authentication Policy Contract Summary
Review the Summary
Press Done
Authentication Policy Contracts
You have now added a new Authentication Policy Contract
Press Save
Selecting an Authentication Policy Contract
Select the desired Authentication Policy Contract
Press Next
Mappping Method
Select Use Only The Authentication Policy Contract Values In The SAML Assertion
Press Next
Attribute Contract Fullfillment
Map the Attribute Contract Attribute to the corresponding Value
Press Next
Issuance Criteria
Optionally add Issuance Criteria
Press Next
Authentication Policy Mapping Summary
Review the Summary
Press Done
Authentication Source Mapping
You have now completed
Map New Adapter Instance
Map New Authentication Policy
Press Next
Assertion Creation Summary
Review the Summary
Press Done
Assertion Creation
You have now completed the Assertion Creation
Press Next
Protocol Settings
Press Cnfigure Protocol Settings
Assertion Consumer Service URL
The Endpoint URL should be automatically filled from the metadata
When not using metadata, add the ACS URL from the Prepare step in Kantega Single Sign-on
Note that in this example we use the relative url to the Base url configured in: General Info
Press Next
Allowable SAML Bindings
Set Redirect as the Allowable SAML Binding
Press Next
Signature Policy
You can choose to have the assertion singed or not
Press Next
Encryption Policy
Select wether you want the assertion encrypted as well
Encrypted assertions is not covered by this guide
Press Next
Protocol Settings Summary
Review the Summary
Press Done
Protocol Settings
You have now completed the Protocol Settings
Press Next, then Done
Browser SSO
You have now completed the Browser Configuration
Press Next
Credentials
Select Configure Credentials
Digital Signature Settings
Select an already existing certificate or create a new one
If you are creating a new certificate, Press Manage Certificates
Manage Digital Signing Certificates
Press Create New
Create Certificate
Fill the required fields
Choose how long the certificate should be valid
Press Done
Create Certificate Summary
Review the Summary
Press Done
Manage Digital Signing Certificates
Make sure the desired certificate is active
Press Save
Digital Signature Settings
Select Include The Certificate In The Signature <Keyinfo> Element
Press Done
Credentials
You have now completed Credentials
Press Next
Activation and Summary
Select Connection Status: Active
Press Save
Metadata Export
Navigate for Server Configuration
Metadata Export
Metadata Mode
Select Use A connection For Metadata Generation
Press Next
Connection Metadata
Select the connection
Press Next
Metadata Signing
Select the signing certificate
Check Include This Certificate's Public Key In The Certificate <Keyinfo> Element
Press Next
Export & Summary
Export the metadata (Press Export)
Press Done
Go back to the Kantega SSO wizard.
3. Metadata
Upload the metadata.xml-file you exported from Ping Federate in the previous step.
4. Redirect URL
No need to do anything. The Redirect URL is automatically fetched from the metadata you imported in the previous step.
5. Certificate
6. Summary
Check that everything looks good and submit your setup
Test
Test that the log-in with Ping Federate works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.