SSO For PingFederate
PingFederate is a federation server that provides identity management, web single sign-on, and API security on your own premises. PingFederate supports all of the current identity standards including SAML, WS-Federation, WS-Trust, OAuth, and OpenID Connect, so users can securely access any applications they require with a single identity using any device.
Setting up Single Sign-On using PingFederate
Step 1: Creating a SP connection
Log in to PingFederate.
Go to the Identity Provider page in PingFederate, then click Create New under SP Connections.
Check the Browser SSO Profiles connection template on the Connection Type page and click Next.
Check the Browser SSO option on the Connection Options page and click Next.
Select File as the method for importing metadata and click Choose file to choose the SSO metadata on the Import Metadata tab. Click Next.
Enter the subdomain (including the https://protocol handler) in the Partnerâs Entity ID (Connection ID) field, your desired Connection Name, and enter the SAML Endpoint URL into the Base URL field, then scroll down to the bottom of the page and click Next.
Click Configure Browser SSO on the Browser SSO page.
Check the IdP-Initiated SSO and SP-Initiated SSO options on the SAML Profiles page, then click Next.
Enter your desired Assertion Lifetime and click Next.
Click Configure Assertion Creation on the Assertion Creation page.
Choose the Standard Identity Mapping option and click Next.
Change the Subject Name Format for the SAML_SUBJECT to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. Add the Attribute Name Format for the Email as urn:oasis:names:tc:SAML:2.0:attrname-format:basic.
Click Next.
Click Map New Adapter Instance on the Authentication Source Mapping page.
Choose your desired Adapter Instance and click Next.
Under the Mapping Method, select the option as shown below.
Click Add Attribute Source under Attribute Sources & User Lookup.
Specify the attribute store's details to use it in your configuration and click Next.
Configure your directory search under the LDAP Directory Search heading. Click Next.
Select Attribute Encoding Type as "Base64" for Mail Attribute. Click Next.
Select a filter for extracting data from your directory.
Under Attribute Contract Fulfillment, enter the below source and values for Email and SAML_SUBJECT attribute contracts.
For Email attribute contract, source as LDAP and Value as mail.
For SAML_SUBJECT attribute contract, source as LDAP and Value as Subject DN.
Click Next.
View the Attribute source summary page on the next screen.
On the next screen, leave the defaults.
On the next screen, select: SEND USER TO SP USING DEFAULT LIST OF ATTRIBUTES.
Under Attribute Contract Fulfillment, enter the below source and values for Email and SAML_SUBJECT attribute contracts.
For Email attribute contract, source as Adapter and Value as mail.
For SAML_SUBJECT attribute contract, source as Adapter and Value as username.
On the next screen, view the IDP Adapter Mapping summary.
On the next screen, leave the defaults.
View the summary information for your Assertion Creation configuration on the next screen.
On the next screen, leave the defaults.
On the next screen, click Configure Protocol Settings.
Enter the Protocol settings as shown.
On the next screen, select the SAML bindings as shown below.
Select the Artifact lifetime as 60 seconds.
On the next screen, enter the remote party URL. For ex- https://pg.autorabit.com/saml/
Click Next.
On the next screen, select: Always Sign Assertion.
Select Encryption policy as None. Click Next.
View the summary information for your protocol settings configuration.
On the next screen, leave the defaults.
View the summary information for your browser SSO configuration.
Click Configure Browser SSO.
On the next screen, click Configure Credentials.
Click Next.
On the next screen, click Configure beside Send to your partner section.
On the next screen, select the below checkboxes:
HTTP BASIC
PERFORM VALIDATION ON PARTNERS SSL SERVER CERTIFICATE WHEN SSL USED
On the next screen, specify the username and password to use to authenticate your partner's SOAP endpoint.
View the summary of SOAP authentication on the next screen. Click Done.
Click on Configure beside Receive from your partner section.
On the next screen, select the below checkboxes:
HTTP BASIC
REQUIRE SSL
On the next screen, specify the username and password to use to authenticate your partner's SOAP endpoint.
View the summary of SOAP authentication on the next screen. Click Done.
On the next screen, click Done.
Select the key/certificates for your digital signature settings. Click Done.
View the summary information for your Credentials configuration on the next screen. Click Done.
On the next screen, leave the defaults. Click Next.
Under the Activation & Summary screen, view the summary information for your SP connection. Click Done.
Find your recently created SP connection in the Identity Provider screen.
Click on Manage All.
Click on Select Action and choose Export Metadata for your SP connection.
From the list of certificates on the next screen, choose the certificate to use for signing the connection. Click Next.
On the next screen, click on Export. The metadata XML file will get downloaded to your local machine.
Step 2: Configuring SSO in AutoRABIT
Now that your PingFederate SSO implementation is set up, youâll need to follow just a few more steps to configure SSO in your AutoRABIT account.
Now, login into your AutoRABIT account.
Hover your mouse over the Admin module and select the option: My Account
On the My Account page, go to the SSO Configuration section.
Browse for the metadata XML file that you have downloaded previously in your local machine and upload them.
Sign out from your AutoRABIT account. On the login page, click on Single Sign On button.
Enter the domain name and click on Go.
Next, you will be redirected to your custom domain URL where you need to enter the PingFederate's credentials i.e., username and password to access the AutoRABIT.
Last updated
