SAML2

Configure SAML IdP

PingIdentity PingOne IdP

PingOne® is an Identity as a Service (IDaaS) solution that enables organizations to deliver single sign-on (SSO) for users with just one username and password—eliminating the multiple password security problem. PingOne delivers one-click access to all of the SaaS, legacy and custom web applications your users need while increasing security for your organization.

  1. Basic Information
    The first step is to provide some basic informations about the application itself. The application can be visible for public or closed and only be available for invited persons.
    PingOne - Basic Information
  2. Create a browser-based SSO connection
    Our authentication process uses SAML2 and following metadata (replace local.innosabi.com with the costumer url)
    innosabi Crowd Metadata
Assertion Consumer Service (ACS): https://local.innosabi.net
Entity ID: local.innosabi.net
Target Resource: https://local.innosabi.net
Single Logout Endpoint: https://local.innosabi.net/logout
Single Logout Response Endpoint: https://local.innosabi.net/samllogout
Single Logout Binding Type: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Now we can upload our x509 certificate from the customer repository (/certs). If none exsists, you can generate a new one in our terminal:

cd APPLICATION_LOCAL/certs
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

The last step is to include the metadata from PingOne into our local.ini

saml.idp.entityId = 'PingConnect'
saml.idp.singleSignOnService.url = 'https://sso.connect.pingidentity.com/sso/idp/SSO.saml2'
saml.idp.singleLogoutService.url = 'https://sso.connect.pingidentity.com/sso/SLO.saml2'
saml.idp.x509cert = 'Add the given certificate provided by the download link'
;saml.sp.debug = false
saml.sp.singleLogoutService.binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post'
saml.sp.x509cert = 'Add the certificate from the customer repository'
saml.sp.privateKey = 'Add the private key from the customer repository'

PingOne - Connections

  • SSO Attribute Requirements
    PingOne allows us to define several attributes, which needed to be provided by the administrator. At least following attributes should be given:
SAML_SUBJECT:Identifies the authenticated principal
givenName: First, or given name
mail: Email
sn: Surname
eduPersonPrincipalName: eduPersonPrincipalName
samaccountname: Accountname

PingOne - Attributes

  • Publish
    In order to be fully available we need to publish our application.