Ping Federate | SAML

NOTE: The steps provided for how to configure Ping Federate has not been updated recently and some information and screenshots may be out of date.

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This can be changed later.

2. Prepare IDP

In the prepare step, Copy the Reply URL. You will need this when setting up Ping Federate.

Configure Ping Federate

EXTERNAL

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.

 

Open the Ping Federate admin console in a separate browser tab. Press Create New in IdpConfiguration.

Select Connection Template: Browser SSO Profiles PROTOCOL SAML 2.0. Press Next.

Select Browser SSO. Press Next.

Select the desired metadata import option. Press Next.

Review the metadata summary. Press Next.

Under General Info:

  • Fill in the fields by (if not already imported using metadata)

    • Entity ID (copy from KSSO prepare step)

    • Connection Name 

    • Base URL

  • Press Next

Select Configure Browser SSO. Press Next.

Select wheter you want IDP-initated SSO, SP-Initiated SSO or both. Press Next.

Accept the default assertion lifetime. Press Next.

Select “Configure Assertion Creation”

Select Standard Identity Mapping. Press Next.

Configure Attribute Contract. This step may be skipped if you don’t intend to use Just-in-time provisioning to create user accounts when users log into the Atlassian application

“Extend the contract” with the additional fields from the table below

Extend the tract:

Attribute Name Format

Extend the tract:

Attribute Name Format

email

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

givenName

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

surname

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Press Next.

Authentication Source Mapping. Select Map New Adapter Instance.

Adapter Instance:

  • Choose your preferred Adapter Instance

  • In this example we create: PingOne HTML Form Adapter

Press Next.


Mapping Method:

Select Use Only The Adapter Contract Values In The SAML Assertion. Press Next.

Attribute Contract Fulfillment:

  • Select the values for SAML_SUBJECT, email, givenName and surname

Press Next.

Issuance Criteria:

  • Optionally add Issuance Criteria

Press Next.

IDP Adapter Mapping Summary:

  • Review the Summary

Press Done.

Assertion Creation

  • You have now completed Map New Adapter Instance

  • Select Map New Authentication Policy

Authentication Policy Contract

  • Choose an already existing Authentication Policy Contract or press Manage Authentication Policy Contracts

  • In this example we create a new policy contract 

Manage Contracts

  • Select Create New Contract

Contract Info

  • Give the contract a name

  • Press Next

Contract Attributes

Extend the contract with the following attributes:

  • email

  • givenName

  • surname

  • userPrincipalName

After adding the attributes, press Next.

Authentication Policy Contract Summary

  • Review the Summary

  • Press Done

Authentication Policy Contracts

  • You have now added a new Authentication Policy Contract

  • Press Save

Selecting an Authentication Policy Contract

  • Select the desired Authentication Policy Contract

  • Press Next

Mappping Method

  • Select Use Only The Authentication Policy Contract Values In The SAML Assertion

  • Press Next



Attribute Contract Fullfillment

  • Map the Attribute Contract Attribute to the corresponding Value

  • Press Next

Issuance Criteria

  • Optionally add Issuance Criteria

  • Press Next

Authentication Policy Mapping Summary

  • Review the Summary

  • Press Done

Authentication Source Mapping 

  • You have now completed 

    • Map New Adapter Instance

    • Map New Authentication Policy

  • Press Next

Assertion Creation Summary

  • Review the Summary

  • Press Done

Assertion Creation

  • You have now completed the Assertion Creation

  • Press Next

Protocol Settings

  • Press Cnfigure Protocol Settings

Assertion Consumer Service URL

  • The Endpoint URL should be automatically filled from the metadata 

  • When not using metadata, add the ACS URL from the Prepare step in Kantega Single Sign-on

  • Note that in this example we use the relative url to the Base url configured in: General Info

  • Press Next

Allowable SAML Bindings

  • Set Redirect as  the Allowable SAML Binding

  • Press Next

Signature Policy

  • You can choose to have the assertion singed or not 

  • Press Next

Encryption Policy

  • Select wether you want the assertion encrypted as well 

  • Encrypted assertions is not covered by this guide

  • Press Next

Protocol Settings Summary

  • Review the Summary

  • Press Done

Protocol Settings

  • You have now completed the Protocol Settings

  • Press Next, then Done

Browser SSO

  • You have now completed the Browser Configuration

  • Press Next

Credentials

  • Select Configure Credentials

Digital Signature Settings

  • Select an already existing certificate or create a new one

  • If you are creating a new certificate, Press Manage Certificates

Manage Digital Signing Certificates

  • Press Create New

Create Certificate

  • Fill the required fields 

  • Choose how long the certificate should be valid

  • Press Done

Create Certificate Summary

  • Review the Summary

  • Press Done

Manage Digital Signing Certificates

  • Make sure the desired certificate is active

  • Press Save

Digital Signature Settings

  • Select Include The Certificate In The Signature <Keyinfo> Element

  • Press Done

Credentials

  • You have now completed Credentials

  • Press Next

Activation and Summary

  • Select Connection Status: Active

  • Press Save

Metadata Export

  • Navigate for Server Configuration

  • Metadata Export


Metadata Mode

  • Select Use A connection For Metadata Generation

  • Press Next

Connection Metadata

  • Select the connection

  • Press Next

Metadata Signing

  • Select the signing certificate

  • Check Include This Certificate's Public Key In The Certificate <Keyinfo> Element

  • Press Next

Export & Summary

  • Export the metadata (Press Export)

  • Press Done

 

Go back to the Kantega SSO wizard.

3. Metadata

Upload the metadata.xml-file you exported from Ping Federate in the previous step.

4. Redirect URL

No need to do anything. The Redirect URL is automatically fetched from the metadata you imported in the previous step.

5. Certificate

6. Summary

Check that everything looks good and submit your setup

Test

Test that the log-in with Ping Federate works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.