Configure SAML IdP
PingIdentity PingOne IdP
PingOne® is an Identity as a Service (IDaaS) solution that enables organizations to deliver single sign-on (SSO) for users with just one username and password—eliminating the multiple password security problem. PingOne delivers one-click access to all of the SaaS, legacy and custom web applications your users need while increasing security for your organization.
- Basic Information
The first step is to provide some basic informations about the application itself. The application can be visible for public or closed and only be available for invited persons.
- Create a browser-based SSO connection
Our authentication process uses SAML2 and following metadata (replace local.innosabi.com with the costumer url)
innosabi Crowd Metadata
Assertion Consumer Service (ACS): https://local.innosabi.net Entity ID: local.innosabi.net Target Resource: https://local.innosabi.net Single Logout Endpoint: https://local.innosabi.net/logout Single Logout Response Endpoint: https://local.innosabi.net/samllogout Single Logout Binding Type: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Now we can upload our x509 certificate from the customer repository (/certs). If none exsists, you can generate a new one in our terminal:
cd APPLICATION_LOCAL/certs openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
The last step is to include the metadata from PingOne into our local.ini
saml.idp.entityId = 'PingConnect' saml.idp.singleSignOnService.url = 'https://sso.connect.pingidentity.com/sso/idp/SSO.saml2' saml.idp.singleLogoutService.url = 'https://sso.connect.pingidentity.com/sso/SLO.saml2' saml.idp.x509cert = 'Add the given certificate provided by the download link' ;saml.sp.debug = false saml.sp.singleLogoutService.binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post' saml.sp.x509cert = 'Add the certificate from the customer repository' saml.sp.privateKey = 'Add the private key from the customer repository'
- SSO Attribute Requirements
PingOne allows us to define several attributes, which needed to be provided by the administrator. At least following attributes should be given:
SAML_SUBJECT:Identifies the authenticated principal givenName: First, or given name mail: Email sn: Surname eduPersonPrincipalName: eduPersonPrincipalName samaccountname: Accountname
In order to be fully available we need to publish our application.