Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Similar documents
.NET SAML Consumer Value-Added (VAM) Deployment Guide

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Quick Connection Guide

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

SecureAuth IdP Realm Guide

Configuring Alfresco Cloud with ADFS 3.0

Zendesk Connector. Version 2.0. User Guide

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Morningstar ByAllAccounts SAML Connectivity Guide

Configure Unsanctioned Device Access Control

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

SAML-Based SSO Solution

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

WebEx Connector. Version 2.0. User Guide

Quick Connection Guide

Integrating AirWatch and VMware Identity Manager

SAML-Based SSO Configuration

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Slack Connector. Version 2.0. User Guide

SAML-Based SSO Configuration

Configuration Guide - Single-Sign On for OneDesk

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Device Recognition Best Practices Guide

SAML-Based SSO Solution

Webthority can provide single sign-on to web applications using one of the following authentication methods:

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

RSA SecurID Access SAML Configuration for Datadog

VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

Remote Desktop (RD) Web Access Server (2012 R2) Integration Guide

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

OAM 2FA Value-Added Module (VAM) Deployment Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

VAM. CAS Installer (for 2FA) Value- Added Module (VAM) Deployment Guide

Five9 Plus Adapter for Agent Desktop Toolkit

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Security Provider Integration SAML Single Sign-On

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Qualys SAML & Microsoft Active Directory Federation Services Integration

Security Provider Integration: SAML Single Sign-On

Configuring Confluence

CA SiteMinder Federation

Dropbox Connector. Version 2.0. User Guide

Quick Start Guide for SAML SSO Access

Box Connector. Version 2.0. User Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Cloud Secure Integration with ADFS. Deployment Guide

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Okta Integration Guide for Web Access Management with F5 BIG-IP

Quick Start Guide for SAML SSO Access

Juniper Networks SSL VPN Integration Guide

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

BEST PRACTICES GUIDE RSA MIGRATION MODULE

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

RSA SecurID Access SAML Configuration for StatusPage

Google SAML Integration with ETV

CoreBlox Integration Kit. Version 2.2. User Guide

Manage SAML Single Sign-On

RSA SecurID Access WS-Fed Configuration for Microsoft SharePoint

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Quick Connection Guide

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Five9 Plus Adapter for Microsoft Dynamics CRM

ADFS Setup (SAML Authentication)

Setting Up the Server

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Oracle Access Manager Configuration Guide

VMware AirWatch Integration with SecureAuth PKI Guide

ComponentSpace SAML v2.0 Okta Integration Guide

VAM. Java SAML Consumer Value- Added Module (VAM) Deployment Guide

Add OKTA as an Identity Provider in EAA

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

MyWorkDrive SAML v2.0 Okta Integration Guide

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Warm Up to Identity Protocol Soup

Cloud Access Manager Configuration Guide

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

NETOP PORTAL ADFS & AZURE AD INTEGRATION

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Table of Contents. Single Sign On 1

Web Access Management Token Translator. Version 2.0. User Guide

RSA SecurID Access SAML Configuration for Kanban Tool

SafeNet Authentication Manager

Transcription:

Integration Guide PingFederate SAML Integration Guide (SP-Initiated Workflow)

Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation. Revision History Version Date Notes 0.1 2017-11-21 Initial draft 1.0 2018-03-09 First draft completed 1.1 2018-08-06 Updates For information on support for this module, contact your SecureAuth support or sales representative: Email: support@secureauth.com inside-sales@secureauth.com Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact 2

Table of Contents Introduction... 4 Prerequisites... 4 Integration... 5 SecureAuth IdP Configuration... 5 PingFederate Configuration... 10 Testing the Configuration... 23 3

Introduction This guide details how to integrate PingFederate with SecureAuth IdP using SAML through SP- initiated workflow. Prerequisites Before beginning the integration, perform these steps: + Have a Ping Federate Administrator Account + Create a SecureAuth IdP Realm for the PingFederate Integration 4

Integration Integrating SecureAuth IdP to PingFederate is a three-step process: + SecureAuth IdP Configuration + PingFederate Configuration + Testing the Configuration SecureAuth IdP Configuration Follow this process to configure SecureAuth IdP for use with PingFederate: 1. Create a realm in SecureAuth IdP to handle PingFederate communications. For more on this, refer to the SecureAuth IdP Realm Guide. 2. Configure the new realm using the following tabs in the Web Admin, before configuring the Post Authentication tab: Overview the description of the realm and SMTP connections must be defined Data an enterprise directory must be integrated with SecureAuth IdP Workflow the way in which users access this application must be defined Registration Methods / Multi-Factor Methods the Multi-Factor Authentication methods that are used to access this page (if any) must be defined 5

3. Return to the Data tab and ensure the Membership Connection is set correctly by scrolling down to the Profile Fields section and map the directory field that contains the user's email address ( Email 1 field, for example) to the correct SecureAuth IdP property. FIGURE 1. Profile Fields Section for Email Mapping You can choose to map additional fields as SAML attributes, if necessary. 4. Click to the select the Post Authentication tab, then select the SAML 2.0 (SP Initiated) Assertion option from the Authenticated User Redirect drop-down list as shown in Figure 2. An unalterable URL auto-populates the Redirect To field, which then appends to the domain name and realm number in the address bar (like this example: Authorized/ SAML20SPInit.aspx). FIGURE 2. Post Authentication Page Example 5. If required, upload a customized post authentication page using the Upload a Page field. 6

6. Scroll down to the User ID Mapping section and make the following field selections. Fields User ID Mapping Name ID Format Encode to Base64 Description/Recommendations Select the SecureAuth IdP property that corresponds to the Profile Field value (see Figure 1). In this case, it is Email 1. Select urn:oasis:names:tc:saml:1.1:nameid-format:unspecified. Select False. An example of this section is shown in Figure 3. FIGURE 3. User ID Mapping Section 7. Scroll down to the SAML Assertion/WS Federation section and make changes to the following fields. Fields WSFed/SAML Issuer SAML Consumer URL SAML Recipient SAML Audience Description/Recommendations Set to any value, typically in the form https://<issuername>.com Set to the appropriate value found in PingFederate. Typically, this value is the application s FQDN with a fixed path extension, such as: https://<fqdn>/sp/acs/saml2. NOTE: This value is located in the Protocol Endpoints hyperlink, which is in the Federation Info section under the Server Configuration tab. Set to the same value as designated for the SAML Consumer URL field. Set to the same value as the SAML 2.0 Entity ID on Ping Federate. NOTE: This value must differ from the user inputs value for the WSFED/SAML Issuer field and is located in the Federation Info section under the Server Configuration tab. 7

Fields SP Start URL SAML Offset Minutes SAML Valid Hours WS-Fed Signing Algorithm SAML Signing Algorithm Description/Recommendations This field is not mandatory to enable SSO and to redirect users appropriately to access SecureAuth. In case the user needs to include it, this URL value is the same as the start site for the SP Application. For example: http:<fqdn>:<portnumber>/sp/ startsso.ping?partnerspid=samlissuer Set to 5 minutes to make up for time differences between devices. Set the to 1 hour to limit for how long the SAML assertion is valid. Set both to SHA1. An example of this section is shown in Figure 4. FIGURE 4. SAML Assertion/WS Federation Section 8. Scroll down to the end of this section and provide these field values. Fields Sign SAML Assertion Sign SAML Message Encrypt SAML Assertion Description/Recommendations Set to False. Set to True. Set to False. 8

An example of these SAML fields is shown in Figure 5. FIGURE 5. SAML Fields Examples 9. Leave the Signing Cert Serial Number field as the default value, unless there is a thirdparty certificate being used for the SAML assertion. NOTE: When using a third-party certificate, click Select Certificate and choose the appropriate certificate. FIGURE 6. Signing Certificate Section 10. If required, scroll down to the Forms Auth/SSO Token section, then click the View and Configure FormsAuth keys / SSO token link to configure the token/cookie settings and to configure this realm for SSO, as shown in Figure 7. FIGURE 7. Forms Auth/SSO Token Section 11. Once the configurations have been completed and before leaving the Post Authentication page, click Save to avoid losing changes. 9

PingFederate Configuration Follow this process to configure PingFederate for use with SecureAuth IdP: 1. From the left pane of the PingFederate main menu, click on the SP Configuration tab. A screen like Figure 8 appears. FIGURE 8. PingFederate SP Configuration page 2. Under the IDP CONNECTIONS section, click the Create New link to start the IdP Connector wizard and create a new IdP connection. FIGURE 9. IdP Connection Wizard 3. Check the Browser SSO Profiles box and the Protocol of SAML 2.0 is auto-selected as shown in Figure 9. 4. Click Next. 10

The Connection Options tab appears. 5. Check the Browser SSO box, then click Next as shown in Figure 10. FIGURE 10. Connection Options Page The Metadata URL tab appears. 6. Click Next to skip the Metadata URL section. 11

The General Info page appears as shown in Figure 11. FIGURE 11. General Info Page 7. In the Partners Entity ID text box, enter the correct value. This value must be the same as the value entered in the WS-Fed / SAML Issuer field on the Post Auth tab in SecureAuth IdP. In Figure 11, this value is SAMLIssuer, the same value specified in Step 7 on page 4. 8. At the Connection Name text box, enter any name required. 9. Click Next. The Browser SSO tab appears like Figure 12. FIGURE 12. Browser SSO Page 12

10. Click on the Configure Browser SSO button. 11. Under the SAML Profiles tab page, check both IDP Initiated SSO and SP Initiated SSO as shown in Figure 13, then click Next. FIGURE 13. Browser SSO SAML Profiles Tab Page The User-Session Creation tab page appears as shown in Figure 14. FIGURE 14. Browser SSO User-Session Creation Tab Page 12. Click Next. 13

The Protocol Settings tab page appears as shown in Figure 15. FIGURE 15. Browser SSO Protocol Settings Tab Page 13. Click on the Configure Protocol Settings button. The SSO Service URLs tab page of the Protocol Settings page appears like Figure 16. FIGURE 16. Protocol Settings SSO Service URLs Page 14. On the SSO Service URLs tab page, ensure that the only two bindings are: Redirect and SOAP and that the Endpoint URL maps to the correct SecureAuth realm. (In the Figure 16 example, it is realm SecureAuth39.) 15. Click Next when completed. 14

The Allowable SAML Bindings tab page appears like Figure 17. FIGURE 17. Protocol Settings Allowable SAML Bindings Page 16. Check the POST box then click Next twice. The Signature Policy tab page appears like Figure 18. FIGURE 18. Protocol Settings Signature Policy Page 17. Click to select the Use SAML Standard Requirements radio button then click Next. 15

The Encryption Policy tab page appears like Figure 19. FIGURE 19. Protocol Settings Encryption Policy Page 18. Click the None radio button then click Next. The Summary tab page appears like Figure 20. FIGURE 20. Protocol Settings Summary Page 19. Verify all the settings on this page then click Done. 16

The Protocol Settings page reappears like Figure 21. FIGURE 21. Protocol Settings Page 2 20. Click Next. 17

The Browser SSO Summary page appears as shown in Figure 22. FIGURE 22. Browser SSO Summary Page 21. Ensure that all the settings are correct then click Done. 18

The Browser SSO tab reappears, like Figure 23. FIGURE 23. IdP Connection Browser SSO Subpage 22. Click Next. The Credentials subpage appears like Figure 24. FIGURE 24. IdP Connection Credentials Subpage 23. Click the Configure Credentials button. 19

The Signature Verification Settings tab appears like Figure 25. FIGURE 25. Signature Verification Settings Tab Page 24. Click the Manage Signature Verification Settings button. The Trust Model tab page appears like Figure 26. FIGURE 26. Signature Verification Trust Model Subpage 25. Click to select the Unanchored radio button then click Next. 20

26. The Signature Verification Certificate subpage appears like Figure 27. FIGURE 27. Signature Verification Signature Verification Certificate Subpage 27. At the Primary pick list, select the SecureAuth IdP certificate. 28. Once the thumb print of the certificate appears, click Next. NOTE: If no certificate appears in the pick list, click the Manage Certificates button and import the appropriate SecureAuth certificate. The Summary page appears like Figure 28. FIGURE 28. Signature Verification Summary Subpage 29. When satisfied, click Done. 21

The Signature Verification Settings page reappears like Figure 29. FIGURE 29. Signature Verification Settings Page 2 30. Click Next. The Credentials Page reappears, like Figure 30. FIGURE 30. Credentials Summary Page 31. Verify all the settings and make appropriate edits if necessary, then click Done. 22

32. Click Next twice to move to the Activation & Summary tab page like Figure 31. Make sure the Status Connection is set to Active. FIGURE 31. Activation & Summary Page 33. Make sure Connection Status is set to Active and that all the other configuration values you specified are correctly displayed, then click Save. Testing the Configuration To test this configuration, perform these steps: 1. Open Firefox browser and download SAML Tracer. 2. Enter the SP Start URL. 3. Check to see if the SP Start URL is redirected to SecureAuth. 4. Enter the credentials (username and password) on the SecureAuth page. The user should be authenticated successfully into the application. 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback