Ping Federate | SAML

Owned by Ole Kristian Aune (Unlicensed)
Last updated: Jan 11, 2024 by Mari Fuglem
6 min read

NOTE: The steps provided for how to configure Ping Federate has not been updated recently and some information and screenshots may be out of date.

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This can be changed later.

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

 

3. Prepare IDP

In the prepare step, Copy the Reply URL. You will need this when setting up Ping Federate.

 

Configure Ping Federate

EXTERNAL

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.

 

Open the Ping Federate admin console in a separate browser tab. Press Create New in IdpConfiguration.

Connection Type

Select Connection Template: Browser SSO Profiles PROTOCOL SAML 2.0. Press Next.

Connection Options

Select Browser SSO. Press Next.

General Info

Fill in the fields

  • Entity ID (copy from KSSO prepare step)

  • Connection Name 

  • Base URL

Press Next

Browser SSO

Click the button Configure Browser SSO to create or revise Browser SSO configuration

Browser SSO, SAML Profiles

Select wheter you want IDP-initated SSO, SP-Initiated SSO or both. Press Next.

Browser SSO, Assertion Lifetime

Accept the default assertion lifetime. Press Next.

Browser SSO, Assertion Creation

Click the button Configure Assertion Creation.

Assertion Creation, Identity Mapping

Select standard Identity Mapping. Press Next.

Assertion Creation, Attribute Contract

This step may be skipped if you don’t intend to use Just-in-time provisioning to create user accounts when users log into the Atlassian application.

“Extend the contract” with the additional fields from the table below. Press Next.

Extend the contract:

Attribute Name Format

Extend the contract:

Attribute Name Format

email

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

givenName

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

surname

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Assertion Creation, Authentication Source Mapping

Select Map New Authentication Policy to create a new contract or revise existing configuration.

Assertion Creation, Authentication Policy Mapping

Click the button Manage Policy Contracts to revise an already existing Authentication Policy Contract or to create a new Authentication Policy Contract.

In this example we have configured a contract (adfs-contract) with the following contract attributes:

  • email

  • group

  • subject

  • uid

Press Next (or click a heading to edit a configuration setting).

Authentication Policy Mapping, Mapping method

Select Use Only The Authentication Policy Contract Values In The SAML Assertion. Press Next

Authentication Policy Mapping, Attribute Contract Fulfillment

Map the Attribute Contract Attribute to the corresponding Value. Press Next.

Authentication Policy Mapping, Issuance Criteria

Optionally add Issuance Criteria. Press Next.

Authentication Policy Mapping, Summary

Review the Summary. Press Done.

Asserton creation,  Authentication Source Mapping

You have now completed Asserton creation, Authentication Source Mapping. Press Next

Assertion Creation, Summary

Review the Summary. Press Done.

Browser SSO, Assertion Creation

You have now completed Bowser SSO, Assertion Creation. Press Next

Browser SSO, Protocol Settings

Click the button Configure Protocol Settings.

Protocol Settings, Assertion Consumer Service URL

Add the ACS URL from the Prepare IDP step in Kantega Single Sign-on.

Note that in this example we use the relative url to the Base url configured in General Info section.

Press Next

Protocol Settings, Allowable SAML Bindings

Set Post and Redirect as the Allowable SAML Binding. Press Next.

Protocol Settings, Signature Policy

You can choose to have the assertion singed or not. Press Next

Protocol Settings, Encryption Policy

Select wether you want the assertion encrypted as well.

Encrypted assertions is not covered by this guide.

Press Next.

Protocol Settings, Summary

Review the Summary. Press Done.

Browser SSO, Protocol Settings

You have now completed Broser SSO, Protocol Settings Press Next, then Done.

Browser SSO, Summary

Review Browser SSO, Summary. Press Done, then Next.

SP Connnection, Activation and Summary

Summary information for your SP Connecion. Press Save.

Go back to the Kantega SSO wizard.

4. Metadata

Upload the metadata.xml-file you exported from Ping Federate.

 

 

5. Redirect URL

No do not need to do anything. The Redirect URL is automatically fetched from the metadata you imported in the previous step.

 

6. Certificate

 

7. Summary

Check that everything looks good and submit your setup

 

Test

Test that the log-in with Ping Federate works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.

 

 

Metatadata XML URL

To allow PingFederate to get automatic update of Metadata (for example changing of SAML Request Signing Key). You may copy the Metadata XML URL from the below page in Kantega SSO and insert into Metadata URL page in PingFederate.