1. Create SAML SP Connection
Log in to your PingFederate instance, go to the admin dashboard, select “Applications” at the top, and select the “SP Connections” menu option.
On the "SP Connections" page, select the "Create Connection" button to begin creating a SAML SP Connection.
On the "Connection Template" page, select "Do not use a template for this connection" and click "Next".
On the "Connection Type" page, select "Browser SSO Profiles" with the "SAML 2.0" Protocol, and click "Next".
On the "Connection Options" page, select only "Browser SSO" and click "Next".
On the "Import Metadata" page, select "None" and click "Next".
Ten Thousand Coffees will provide the IdP URI (Entity ID) to you via a unique setup link.
On the "General Info" page, paste the IdP URI (Entity ID) into the "Partner's Entity ID (Connection ID)" field, and add a unique name in the "Connection Name" field, then click "Next".
2. Configure Browser SSO Settings
On the "Browser SSO" page, select the "Configure Browser SSO" button.
On the "SAML Profiles" page, select "SP-initiated SSO" under the "Single Sign-On (SSO) Profiles", and then click "Next".
Configure the Assertion Lifetime and click "Next".
3. Configure Assertion Creation
On the "Assertion Creation" page, select the "Configure Assertion Creation" button.
On the Identity Mapping page, select the "Standard" option and click "Next".
On the "Attribute Contract" page, define at least id, email, firstName and lastName attributes, as shown below, and then click "Next".
Extend the Contract |
Attribute Name Format |
|
urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
firstName |
urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
id |
urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
lastName |
urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
On the "Authentication Source Mapping" page, define the attribute mapping for your SAML setup. This can vary based on how you have PingFederate configured. Below, we describe an example that uses an Authentication Policy and user information from an LDAP server.
On the "Authentication Policy Mapping" setup, we define the following "Attribute Contract Fulfillment" settings to map the attributes to content from the policy or the LDAP server.
4. Configure Protocol Settings
On the "Assertion Consumer Service URL" page, paste the ACS URL into the Endpoint URL field with a POST binding, then click "Next". Ten Thousand Coffees will provide the ACS URL to you via a unique setup link.
On the "Allowable SAML Bindings" page, check at least POST and REDIRECT, then click "Next".
On the "Signature Policy" page, select "Always Sign Assertion", then click "Next".
On the "Encryption Policy" page, select "None", then click "Next".
5. Configure Credentials
On the "Digital Signature Settings" page, select a signing certificate and the RSA SHA256 signing algorithm, then click "Done".
6. Upload Identity Provider Metadata
On the SP Connection list, find your Ten Thousand Coffees SAML 2.0 connection. Click on the "Select Action" menu and then select "Export Metadata" to download the connection metadata.
Upload the Identity Provider Metadata file using the unique setup link provided to you by Ten Thousand Coffees. It will look like this:
7: Test Single Sign On
Ten Thousand Coffees will ask you to try signing in to test the connection.
Comments
0 comments
Please sign in to leave a comment.