How to configure PingFederate for SSO

This topic details how to configure PingFederate for single sign-on (SSO).

IMPORTANT  Before completing these steps, you will need to follow the steps in Prepare Venafi Platform for SAML SSO. You will need configuration information from the Venafi Service Provider Metadata XML file to complete this process.

PingFederate is an on-premise single sign-on (SSO) identity provider and directory service.

NOTE  These instructions were written based on PingFederate 10.2 on Windows Server 2016. If your server or software version is different, you will need to make necessary adjustments.

You must have an existing functional PingFederate deployment to use these steps. These instructions detail how to add a new Application (Venafi Platform).

You will want to consult with your identity provider management team to determine who should be able to authenticate to Venafi Platform via Ping Federate. You'll need that information near the end of the procedure below.

IMPORTANT  While Venafi makes an effort to provide accurate information on third-party integration steps, these steps may differ for your service provider, especially as identity providers release new updates. If you have questions about how to use this third-party integration, we recommend you start with the vendor's documentation and support teams. These instructions should be considered a template, not definitive steps. Your specific steps may vary, depending on how your organization integrates with each third-party platform.

To configure PingFederate for single sign-on

  1. Log in to PingFederate on-premise, and open Applications.
  2. From the side menu, click IntegrationSP Connections.

  3. Click Create Connection.

    PingFederate does not support the Service Provider Metadata XML file, which is why you can't click Import Connection.

  4. In the SP Connections section:

    1. In the Connection Template tab

      PingFederate SP Connections Template settings
      Field Value
      Template Do not use a template for this connection

    2. In the Connection Type tab

      PingFederate SP Connections Connection settings
      Field Value
      Browser SSO Profiles Checked
      Protocol SAML 2.0
      WS-Trusts STS Unchecked
      Outbound Provisioning Unchecked

      Click Next.

    3. In the Connection Options tab

      PingFederate SP Connections Connection Options settings
      Field Value
      Browser SSO Checked
      Attribute Query Unchecked

      Click Next.

    4. In the Import Metadata tab

      PingFederate SP Connections Metadata settings
      Field Value
      Metadata File (radio button)

      Then click Choose File, and select the Service Provider Metadata XML file you saved from Venafi Platform, then click Next.

    5. In the Metadata Summary tab

      PingFederate SP Connections Metadata Summary
      Field Value
      Entity ID This field will contain the FQDN obtained from the XML file.

      Click Next.

    6. In the General Info tab

      PingFederate SP Connections General Info settings
      Field Value
      Partner's Entity ID This field will contain the EntityID from the XML file.
      Connection Name This field will contain the Entity ID from the XML file. You can customize this, if you prefer.
      Base URL This field will contain the URL from the XML file.

      Click Next.

    7. In the Browser SSO tab, click Configure Browser SSO.

      • In the SAML Profiles sub-tab,

        • Check - IDP-INITIATED SSO (only works if Venafi Platform is reachable by IP address or FQDN)
        • Check - SP-INITIATED SSO.
        • Unchecked - IDP-INITIATED SLO.
        • Unchecked - SP-INITIATED SLO.
      • In the Assertion Lifetime sub-tab, leave default settings.

      • In the Assertion Creation sub-tab, click Configure Assertion Creation.

        • On Identity Mapping, select STANDARD.
        • On Attribute Contract select the following from the SAML_Subject dropdown: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

        • On Authentication Source Mapping, click Map New Adapter Instance.

          • For Adapter Instance, select FederateUsers.
          • For Mapping Method, select Use only the Adapter Contract values in the SAML assertion.

          • For Attribute Contract Fulfillment:

            PingFederate Attribute Contract Fulfillment
            Attribute Source Value
            SAML_SUBJECT Adapter username
          • For Issuance Criteria, leave empty.

          • For Summary, review, then click Done.

            You'll be taken back to the Authentication Source Mapping page. Click Next.

        • On Summary, review, then click Done.

          You'll be taken back to the Assertion Creation sub-tab. Click Next.

      • In the Protocol Settings sub-tab, click Configure Protocol Settings.

        • On Assertion Customer Service URL, accept the default settings.

        • On Allowable SAML Bindings:

          PingFederate Allowable SAML Bindings
          Field Setting
          Artifact Unchecked
          Post Checked
          Redirect Checked
          SOAP Unchecked

        • On Signature Policy:

          PingFederate Signature Policy
          Field Setting
          Require Authn Requests... Unchecked
          Always sign assertion Checked
          Sign Response as required Checked
        • On Encryption Policy, accept the default settings (none).

        • On Protocol Settings Summary, review, then click Done.

          You'll be taken back to the Protocol Settings page. Click Next.

      • In the Summary sub-tab, review, then click Done.

        You'll be taken back to the Browser SSO tab. Click Next.

    8. In the Credentials tab, click Configure Credentials.

      • In the Digital Security Settings sub-tab:

        PingFederate Digital Security settings
        Field Value
        Signing Certificate Select any; If none exist, click Manage Certificates to either create one or import one for use.
        Signing Algorithm RSA SHA256

      • In the Summary sub-tab, review, then click Done.

        You'll be taken back to the Credentials tab. Click Next.

    9. In the Activation and Summary tab, review your selections, then click Save.

      You'll be taken back to the SP Connections section, where you can see the newly-created connection.

  5. In the SP Connections section, locate your newly-created connection, then click Select ActionExport Metadata.
  6. On the Metadata Signing sub-tab, select any signing certificate, and select the RSA SHA256 signing algorithm, then click Next.

  7. On the Export & Sumary sub-tab, click Export. We refer to this file as the IDP Metadata XML file in our documentation.

    You'll need to save this to your Venafi Platform server, in a place you can find it later.

You are ready to finish configuring SSO in Venafi Configuration Console. See Importing Identity Provider Metadata XML into Venafi Configuration Console for SAML.