This guide is for an older version of Kantega SSO Enterprise and is no longer maintained. New guides are here: https://kantega-sso.atlassian.net/l/c/rNTaTonz . |
In Kantega Single Sign-on, add a new identity provider and select "Ping Federate" from the dropdown:
In the Prepare step, copy the Metadata URL if your Atlassian server is available to Ping Federate, or download the file if it's not.
Open the Ping Federate admin console in a separate browser tab. Press Create New in IdpConfiguration
Select Connection Template: Browser SSO Profiles PROTOCOL SAML 2.0. Press Next.
Select Browser SSO. Press Next.
Select the desired metadata import option. Press Next.
Review the metadata summary. Press Next.
Under General Info:
Fill in the fields by (if not already imported using metadata)
Entity ID (copy from KSSO prepare step)
Connection Name
Base URL
Press Next
Select Configure Browser SSO. Press Next.
Select whether you want IDP-initiated SSO, SP-Initiated SSO, or both. Press Next.
Accept the default assertion lifetime. Press Next.
Select "Configure Assertion Creation"
Select Standard Identity Mapping. Press Next.
Configure Attribute Contract. This step may be skipped if you don't intend to use Just-in-time provisioning to create user accounts when users log into the Atlassian application.
"Extend the contract" with the additional fields from the table below.
Extend the tract: | Attribute Name Format |
|---|---|
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | |
givenName | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
surname | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
Press Next.
Authentication Source Mapping. Select Map New Adapter Instance.
Adapter Instance:
Choose your preferred Adapter Instance
In this example, we create: PingOne HTML Form Adapter
Press Next.
Mapping Method:
Select Use Only The Adapter Contract Values In The SAML Assertion. Press Next.
Attribute Contract Fulfillment:
Select the values for SAML_SUBJECT, email, givenName, and surname
Press Next.
Issuance Criteria:
Optionally add Issuance Criteria
Press Next.
IDP Adapter Mapping Summary:
Review the Summary
Press Done.
Assertion Creation
You have now completed Map New Adapter Instance
Select Map New Authentication Policy
Authentication Policy Contract
Choose an already existing Authentication Policy Contract or press Manage Authentication Policy Contracts.
In this example, we create a new policy contract
Manage Contracts
Select Create New Contract
Contract Info
Give the contract a name
Press Next
Contract Attributes
Extend the contract with the following attributes:
givenName
surname
userPrincipalName
After adding the attributes, press Next.
Authentication Policy Contract Summary
Review the Summary
Press Done
Authentication Policy Contracts
You have now added a new Authentication Policy Contract
Press Save
Selecting an Authentication Policy Contract
Select the desired Authentication Policy Contract
Press Next
Mapping Method
Select Use Only The Authentication Policy Contract Values In The SAML Assertion
Press Next
Attribute Contract Fulfillment
Map the Attribute Contract Attribute to the corresponding Value
Press Next
Issuance Criteria
Optionally add Issuance Criteria
Press Next
Authentication Policy Mapping Summary
Review the Summary
Press Done
Authentication Source Mapping
You have now completed
Map New Adapter Instance
Map New Authentication Policy
Press Next
Assertion Creation Summary
Review the Summary
Press Done
Assertion Creation
You have now completed the Assertion Creation
Press Next
Protocol Settings
Press Configure Protocol Settings
Assertion Consumer Service URL
The Endpoint URL should be automatically filled from the metadata
When not using metadata, add the ACS URL from the Prepare step in Kantega Single Sign-on
Note that in this example, we use the relative URL to the Base URL configured in General Info
Press Next
Allowable SAML Bindings
Set Redirect as the Allowable SAML Binding
Press Next
Signature Policy
You can choose to have the assertion singed or not
Press Next
Encryption Policy
Select whether you want the assertion encrypted as well
This guide does not cover encrypted assertions
Press Next
Protocol Settings Summary
Review the Summary
Press Done
Protocol Settings
You have now completed the Protocol Settings
Press Next, then Done
You have now completed the Browser Configuration
Press Next
Select Configure Credentials
Digital Signature Settings
Select an already existing certificate or create a new one
If you are making a new certificate, Press Manage Certificates
Manage Digital Signing Certificates
Press Create New
Create Certificate
Fill the required fields
Choose how long the certificate should be valid
Press Done
Create Certificate Summary
Review the Summary
Press Done
Manage Digital Signing Certificates
Make sure the desired certificate is active
Press Save
Digital Signature Settings
Select Include The Certificate In The Signature <Keyinfo> Element
Press Done
You have now completed Credentials
Press Next
Select Connection Status: Active
Press Save
Navigate for Server Configuration
Metadata Export
Metadata Mode
Select Use A connection For Metadata Generation
Press Next
Connection Metadata
Select the connection
Press Next
Metadata Signing
Select the signing certificate
Check Include This Certificate's Public Key In The Certificate <Keyinfo> Element.
Press Next
Export & Summary
Export the metadata (Press Export)
Press Done
Finally, go back to the Kantega SSO tab. Still on the Prepare step, press Next.
Select the exported metadata from Ping Federate
Press Next
Give the IDP a proper name
The SSO redirect URL is imported from the metadata
Review the imported signing certificate (This step is purely informational)
Press Next
Select whether users already exist or if you wish to have users automatically created upon login
Optionally assign a default group for new users.
You should now be able to test SAML login through Ping Federate.