How can we help?

Set up Guide: PingFederate SAML

Emily B
Emily B
  • Updated

1. Create SAML SP Connection

Log in to your PingFederate instance, go to the admin dashboard, select “Applications” at the top, and select the “SP Connections” menu option.

A screenshot showing where to find the SP Connections section in the PingFederate admin dashboard.

On the "SP Connections" page, select the "Create Connection" button to begin creating a SAML SP Connection.

A screenshot showing where the 'Create Connection' button is in PingFederate

On the "Connection Template" page, select "Do not use a template for this connection" and click "Next".

A screenshot showing where to select the 'Do not use a template for this connection' option in PingFederate.

On the "Connection Type" page, select "Browser SSO Profiles" with the "SAML 2.0" Protocol, and click "Next".

A screenshot showing where to select the 'Browser SSO Profiles' option in PingFederate.

On the "Connection Options" page, select only "Browser SSO" and click "Next".

A screenshot showing where to select the 'Browser SSO' option on the 'Connection Type' page in PingFederate.

On the "Import Metadata" page, select "None" and click "Next".A screenshot showing where to select the 'None' option for importing Metadata in PingFederate.

A screenshot showing where to select the 'None' option for importing Metadata in PingFederate.

Ten Thousand Coffees will provide the IdP URI (Entity ID) to you via a unique setup link.


On the "General Info" page, paste the IdP URI (Entity ID) into the "Partner's Entity ID (Connection ID)" field, and add a unique name in the "Connection Name" field, then click "Next".

A screenshot showing where to enter the Entity ID in PingFederate.

2. Configure Browser SSO Settings

On the "Browser SSO" page, select the "Configure Browser SSO" button.A screenshot showing where to select the 'Configure Browser SSO' button in PingFederate.

A screenshot showing where to select the 'Configure Browser SSO' button in PingFederate.

On the "SAML Profiles" page, select "SP-initiated SSO" under the "Single Sign-On (SSO) Profiles", and then click "Next".A screenshot showing where to select 'SP-initiated SSO' in PingFederate.

A screenshot showing where to select 'SP-initiated SSO' in PingFederate.

Configure the Assertion Lifetime and click "Next".

3. Configure Assertion Creation

On the "Assertion Creation" page, select the "Configure Assertion Creation" button.A screenshot showing where to locate the 'Configure Assertion Creation' button in PingFederate.

A screenshot showing where to locate the 'Configure Assertion Creation' button in PingFederate.

On the Identity Mapping page, select the "Standard" option and click "Next".A screenshot showing where to select the 'Standard' option in the Identity Mapping page in PingFederate.

A screenshot showing where to select the 'Standard' option in the Identity Mapping page in PingFederate.

On the "Attribute Contract" page, define at least id, email, firstName and lastName attributes, as shown below, and then click "Next".

A screenshot showing where to define attributes in PingFederate.

Extend the Contract

Attribute Name Format

email

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

firstName

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

id

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

lastName

urn:oasis:names:tc:SAML:2.0:attrname-format:basic

On the "Authentication Source Mapping" page, define the attribute mapping for your SAML setup. This can vary based on how you have PingFederate configured. Below, we describe an example that uses an Authentication Policy and user information from an LDAP server.A screenshot showing where to locate the 'Map New Authentication Policy' option in PingFederate.

A screenshot showing where to locate the 'Map New Authentication Policy' option in PingFederate.

On the "Authentication Policy Mapping" setup, we define the following "Attribute Contract Fulfillment" settings to map the attributes to content from the policy or the LDAP server.A screenshot showing defined attributes in the Attribute Contract Fulfillment area in PingFederate.

A screenshot showing defined attributes in the Attribute Contract Fulfillment area in PingFederate.4. Configure Protocol Settings

Navigate to the "Protocol Settings" page and select the "Configure Protocol Settings" button.
A screenshot showing where to select the 'Configure Protocol Settings' button in PingFederate.

On the "Assertion Consumer Service URL" page, paste the ACS URL into the Endpoint URL field with a POST binding, then click "Next". Ten Thousand Coffees will provide the ACS URL to you via a unique setup link.

A screenshot showing where to paste the ACS URL in PingFederate.

On the "Allowable SAML Bindings" page, check at least POST and REDIRECT, then click "Next".A screenshot showing where to select 'POST' and 'REDIRECT' on the 'Allowable SAML Bindings' page in PingFederate.

A screenshot showing where to select 'POST' and 'REDIRECT' on the 'Allowable SAML Bindings' page in PingFederate.

On the "Signature Policy" page, select "Always Sign Assertion", then click "Next".A screenshot showing where to select 'Always Sign Assertion' on the 'Signature Policy' page in PingFederate.

A screenshot showing where to select 'Always Sign Assertion' on the 'Signature Policy' page in PingFederate.

On the "Encryption Policy" page, select "None", then click "Next".

A screenshot showing where to select 'None' on the 'Encryption Policy' page in PingFederate.5. Configure Credentials

Navigate to the "Credentials" page, and select the "Configure Credentials" button.
A screenshot showing where to configure credentials in PingFederate.

On the "Digital Signature Settings" page, select a signing certificate and the RSA SHA256 signing algorithm, then click "Done".A screenshot showing where to configure digital signature settings in PingFederate.

A screenshot showing where to configure digital signature settings in PingFederate.
A screenshot showing where to configure digital signature settings in PingFederate.

6. Upload Identity Provider Metadata

On the SP Connection list, find your Ten Thousand Coffees SAML 2.0 connection. Click on the "Select Action" menu and then select "Export Metadata" to download the connection metadata.

A screenshot showing where to export metadata in PingFederate.

Upload the Identity Provider Metadata file using the unique setup link provided to you by Ten Thousand Coffees. It will look like this:

7: Test Single Sign On

Ten Thousand Coffees will ask you to try signing in to test the connection.

 

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.