Ping Federate | SAML
- Ole Kristian Aune (Unlicensed)
- Mari Fuglem
NOTE: The steps provided for how to configure Ping Federate has not been updated recently and some information and screenshots may be out of date.
1. Display name
Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This can be changed later.
2. Redirect Mode
Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.
3. Prepare IDP
In the prepare step, Copy the Reply URL. You will need this when setting up Ping Federate.
Configure Ping Federate
EXTERNAL
If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.
Open the Ping Federate admin console in a separate browser tab. Press Create New in IdpConfiguration.
Connection Type
Select Connection Template: Browser SSO Profiles PROTOCOL SAML 2.0. Press Next.
Connection Options
Select Browser SSO. Press Next.
General Info
Fill in the fields
Entity ID (copy from KSSO prepare step)
Connection Name
Base URL
Press Next
Browser SSO
Click the button Configure Browser SSO to create or revise Browser SSO configuration
Browser SSO, SAML Profiles
Select wheter you want IDP-initated SSO, SP-Initiated SSO or both. Press Next.
Browser SSO, Assertion Lifetime
Accept the default assertion lifetime. Press Next.
Browser SSO, Assertion Creation
Click the button Configure Assertion Creation.
Assertion Creation, Identity Mapping
Select standard Identity Mapping. Press Next.
Assertion Creation, Attribute Contract
This step may be skipped if you don’t intend to use Just-in-time provisioning to create user accounts when users log into the Atlassian application.
“Extend the contract” with the additional fields from the table below. Press Next.
Extend the contract: | Attribute Name Format |
|---|---|
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | |
givenName | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
surname | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
Assertion Creation, Authentication Source Mapping
Select Map New Authentication Policy to create a new contract or revise existing configuration.
Assertion Creation, Authentication Policy Mapping
Click the button Manage Policy Contracts to revise an already existing Authentication Policy Contract or to create a new Authentication Policy Contract.
In this example we have configured a contract (adfs-contract) with the following contract attributes:
email
group
subject
uid
Press Next (or click a heading to edit a configuration setting).
Authentication Policy Mapping, Mapping method
Select Use Only The Authentication Policy Contract Values In The SAML Assertion. Press Next
Authentication Policy Mapping, Attribute Contract Fulfillment
Map the Attribute Contract Attribute to the corresponding Value. Press Next.
Authentication Policy Mapping, Issuance Criteria
Optionally add Issuance Criteria. Press Next.
Authentication Policy Mapping, Summary
Review the Summary. Press Done.
Asserton creation, Authentication Source Mapping
You have now completed Asserton creation, Authentication Source Mapping. Press Next
Assertion Creation, Summary
Review the Summary. Press Done.
Browser SSO, Assertion Creation
You have now completed Bowser SSO, Assertion Creation. Press Next
Browser SSO, Protocol Settings
Click the button Configure Protocol Settings.
Protocol Settings, Assertion Consumer Service URL
Add the ACS URL from the Prepare IDP step in Kantega Single Sign-on.
Note that in this example we use the relative url to the Base url configured in General Info section.
Press Next
Protocol Settings, Allowable SAML Bindings
Set Post and Redirect as the Allowable SAML Binding. Press Next.
Protocol Settings, Signature Policy
You can choose to have the assertion singed or not. Press Next
Protocol Settings, Encryption Policy
Select wether you want the assertion encrypted as well.
Encrypted assertions is not covered by this guide.
Press Next.
Protocol Settings, Summary
Review the Summary. Press Done.
Browser SSO, Protocol Settings
You have now completed Broser SSO, Protocol Settings Press Next, then Done.
Browser SSO, Summary
Review Browser SSO, Summary. Press Done, then Next.
SP Connnection, Activation and Summary
Summary information for your SP Connecion. Press Save.
Go back to the Kantega SSO wizard.
4. Metadata
Upload the metadata.xml-file you exported from Ping Federate.
5. Redirect URL
No do not need to do anything. The Redirect URL is automatically fetched from the metadata you imported in the previous step.
6. Certificate
7. Summary
Check that everything looks good and submit your setup
Test
Test that the log-in with Ping Federate works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.
Metatadata XML URL
To allow PingFederate to get automatic update of Metadata (for example changing of SAML Request Signing Key). You may copy the Metadata XML URL from the below page in Kantega SSO and insert into Metadata URL page in PingFederate.