Configuring PingFederate for TaaS

To use PingFederate as an identity provider for TaaS, you must first configure it.

Create a SAML application

  1. Sign into PingFederate and go to the admin console.
  2. From the MAIN menu, click Identity Provider and then click Create New in the SP CONNECTIONS section.
  3. In the Connection Type tab, select BROWSER SSO PROFILES and then click Next.
  4. In the Connection Options tab, select BROWSER SSO and then click Next.
  5. In the Import Metadata tab, select NONE and then click Next.
  6. In the Metadata Summary tab, click Next.
  7. In the General Info tab, click Next.
  8. In the Browser SSO tab, click Configure Browser SSO.

Configure Browser SSO

  1. In the SAML Profiles tab, select IDP-INITIATED SSO and SP-INITIATED SSO for both Single Sign-On (SSO) Profiles and Single Logout (SLO) Profiles, and then click Next.
  2. In the Assertion Lifetime tab, click Next.
  3. In the Assertion Creation tab, click Configure Assertion Creation.
    1. In the Identity Mapping tab, select STANDARD and then click Next.
    2. In the Attribute Contract tab, configure the following values and then click Next.

      SAML_SUBJECT: Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from the Subject Name Format drop-down list.
      Extend the Contract: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the text field, select urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, and then click Add.

    3. In the Authentication Source Mapping tab, click Map New Adapter Instance.
      1. In the Adapter Instance tab, select an existing adapter that includes the user's e-mail address and then click Next.
      2. In the Mapping Method tab, select USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION and then click Next.
      3. In the Attribute Contract Fulfillment tab, select email from the Value drop-down list for both SAML_SUBJECT and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress that you previously added, and then click Next.
      4. In the Issuance Criteria tab, configure any criteria and then click Next.
      5. In the Summary tab, click Done.
    4. In the Authentication Source Mapping tab, click Next.
    5. In the Summary tab, click Done.
    6. In the Assertion Creation tab, click Next.
  4. In the Protocol Settings tab, click Configure Protocol Settings.
    1. In the Assertion Consumer Service URL tab, verify that the Endpoint URL ending in /saml2/idpresponse is present and then click Next.
    2. In the SLO Service URLs tab, verify that the Endpoint URL ending in /saml2/logout is present and then click Next.
    3. In the Allowable SAML Bindings tab, verify that only POST and REDIRECT are selected, and then click Next.
    4. In the Signature Policy tab, verify that only ALWAYS SIGN ASSERTION is selected and then click Next.
    5. In the Encryption Policy tab, verify that NONE is selected and then click Next.
    6. In the Summary tab, click Done.
    7. In the Protocol Settings tab, click Next.
  5. In the Summary tab, click Done.
  6. In the Browser SSO tab, click Next.
  7. In the Credentials tab, click Configure Credentials.

Configure Credentials

  1. In the Digital Signature Settings tab, select the appropriate signing certificate, confirm that RSA SHA256 is selected as the signing algorithm, and then click Next.
  2. In the Signature Verification Settings tab, click Manage Signature Verification Settings.
    1. In the Trust Model tab, verify that UNANCHORED is selected and then click Next.
    2. In the Signature Verification Certificate tab, select the appropriate certificate and then click Next.

      If a certificate is not present in the drop-down list, extract it from the metadata, add the PEM header and footer, and import it manually.

    3. In the Summary tab, click Done.
    4. In the Signature Verification Settings tab, click Next.
  3. In the Summary tab, click Done.
  4. In the Credentials tab, click Next.
  5. In the Activation & Summary tab, click Save.