PingFederate ‑ Identity Provider Setup

1. Start a web browser.

2. Go to https://<pf_host>:9999/pingfederate/app.

3. The first time you access the PingFederate administrative console and after you have accepted the subscription agreement, you see two choices on how to proceed:

   1. Yes, Connect to PingOne for Enterprise

   2. No, Set Up Without PingOne for Enterprise

4. To continue setting up PingFederate, select No, Set Up Without PingOne for Enterprise. Click Next.

5. On the License tab, review or import your license.

6. On the Basic Information tab, enter your federation information.

7. On the Administrator Account tab, create an administrative account.

   1. Replace the default value in the Username field with a username of your choice. The default value is Administrator.

   2. Enter a password in the Password and Confirm Password fields, and then click Next.

8. On the Confirmation tab, review your configuration and click Done.

The PingFederate administrative console provides a wizard-like interface to configure your federation use cases.

Note:

The Save button is available on most tabs. If a tab does not show a Save button, click Next or Done until you reach a Save button to commit your changes.

Login by using the Administrator account.

1. Select the System tab and then select Data Stores to configure the IDP data store.

   

2. Enter a data store name and select its type – for example, Directory (LDAP).

   

3. Configure the LDAP details and check the Test Connection. Click Next.

   

4. Check the summary and click Save.

   

1. Go to System > Password Credential Validators > Create New Instance.

   

2. Select LDAP Username Password Credential Validator from the Type dropdown list.

   

3. Configure LDAP Search Base, Search Filter, Scope of Search and so on, in the Instance Configuration tab.

   

4. Add the extended Attribute contact in the Extended Contract tab.

   

5. Check Summary and then Save.

   

IdP adapters retrieve session information and provide user identification to PingFederate. The next step is to configure these adapters.

1. Select Authentication and click Idp Adapters.

2. Click Create New Instance.

   

3. Select Instance Name, Id, and the available type. For example, select the HTML Form IDP Adapter. It shows the html screen (UI) to the user to enter the credentials to authenticate the IDP. Click Next.

   

4. On the IdP Adapter tab, select the Password Credential Validator Instance name as configured in Configure Password Credential Validators.

   

5. Add any additional attributes that are required in the Extended Contract tab.

6. Select the Pseudonym to uniquely identify a user in SP in Adapter Attributes tab.

7. Configure Adapter contract in Adapter Contract Mapping tab. This is optional. Skip this if not required.

   

   

   

8. Check Summary and click Save.

   

1. Select the Applications tab and click the SP Connections shortcut.

   

2. Click Create Connection.

   

3. Select the Do not use a template for this connection in Connection Template button.

   

4. Select Browser SSO Profiles and SAML2.0 protocol in the Connection Type tab.

   

5. Select Browser SSO in the Connection Options tab.

   

6. Select Metadata None in Import Metadata tab if you do not have the metadata file or URL.

   

7. Enter the unique connection info in the General Info tab to identify the partners identity, for example, AESSOValidator

   

8. Click Configure Browser SSO in the Browser SSO tab.

9. Select the Single Sign-On and Single Logout profile options in Configure Browser SSO > SAML profile tab.

   

10. Configure Assertion Lifetime in Configure Browser SSO > Assertion Lifetime tab.

    

11. Click Configure Assertion Creation in Configure Browser SSO -> Assertion Creation tab.

    

12. Keep default Standard option in Configure Browser SSO -> Assertion Creation -> Configure Assertion Creation -> Identity Mapping tab.

    

13. Keep default in Configure Browser SSO -> Assertion Creation -> Configure Assertion Creation -> Attribute Contract tab.

    

14. Click Map New Adapter Instance in Configure Browser SSO -> Assertion Creation -> Configure Assertion Creation -> Authentication Source Mapping tab.

    

15. Select the Adapter Instance HTML Form Adapter that you created in Configure IDP Adapters Map New Adapter Instance -> Adapter Instance tab and click Next.

    

16. Retain the default option and click Next.

    

17. Select Source as Adapter and Value as username in Map New Adapter Instance -> Attribute Contract Fulfillment tab. Click Next.

    

18. Map New Adapter Instance -> Issuance Criteria tab and click Next. This is optional.

    

19. Check Map New Adapter Instance -> Summary tab and click Done.

    

20. When you see the screen below, click Next and check the Summary. Click Save.

    

    

21. Go to Assertion Creation configuration and click Next.

    

22. Click the Configure Protocol Settings button in Protocol Settings tab.

    

23. Select the Binding and Endpoint URL. Select POST from the dropdown list. Click Add in Assertion Consumer Service URL tab. For example, AssertionConsumerService.

    

24. Select the Binding, Endpoint URL, and Response URL. Click Add in SLO Service URLs tab. InitiateSingleLogout and SingleLogoutService respectively.

    

25. Select the allowable SAML bindings (POST, REDIRECT) in Allowable SAML Bindings tab.

    

26. Retain the default option and click Next.

    

27. Keep default option and click Next.

    

28. Check Summary and click Done.

    

29. Click Next.

    

30. Check Summary and click Done.

    

31. Click Next.

    

32. Click Configure Credentials in Credentials tab and click Next.

    

33. Select the Signature certificate in Configure Credentials -> Digital Signature Settings tab and click Next.

    

34. Click Manage Certificates and add new or import certificates. Click Next.

    

35. Click Manage Signature Verification Settings in Signature Verification Settings tab.

    

36. Select certificate or import certificate by using the Manage Certificates button in Manage Signature Verification Settings -> Trust Model tab. Click Next and then Done. The certificate is generated from Campaign Manager server or certificate provided by the customer.

    

    

37. Check Summary and click Done.

    

38. Click Next.

    

39. Activate the connection and click Save in Activation & Summary tab.

40. The configuration is complete. You can perform actions like Enable/Disable, Export Metadata, Export Connection, Copy, Delete.

    

    

41. Metadata has the EntityId, SSO and SLO URLs, signature certificates and other related details. You can use the metadata to configure the Service provider.

    

    To Configure SSO in Campaign Manager, repeat the steps given under section Campaign Manager Console SSO Configuration and Campaign Manager SSO Validator SAML Configuration.

1. To update the Identity Provider Entity ID, click the SYSTEM tab and Server in left menu.

   

2. Update SAML 2.0 Entity Id in Server > Protocol Settings > Federation Info tab. Click Save.

   

3. To Add or Update administrative accounts, click SYSTEM > Server > Administrative Accounts. Make the necessary changes. Click Save.

   

4. Import license in SYSTEM > Server > License Management.