Configure PingFederate as an IdP in the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Configure PingFederate as an IdP in the Cloud Identity Engine
- Prepare the metadata for the Cloud Identity Engine app in PingFederate.
- If you have not already done so, activate the Cloud Identity Engine app.
- In the Cloud Identity Engine app, selectandAuthenticationSP MetadataDownload SP MetadataSavethe metadata in a secure location.
- Log in to PingFederate and select.SystemSP AffiliationsProtocol MetadataMetadata Export
- SelectI am the Identity Provider (IdP)then clickNext.
- Select information to include in metadata manuallythen clickNext.
- Select theSigning keyyou want to use then clickNext.
- Ensure thatSAML 2.0is the protocol then clickNext.
- ClickNextas you do not need to define an attribute contract.
- Select theSigning Certificateand that you want toInclude this certificate’s public key certificate in the <key info> element.
- Select theSigning Algorithmyou want to use then clickNext.
- Select the same certificate as theEncryption certificatethen clickNext.
- Review the metadata to verify the settings are correct thenExportthe metadata.
- Add PingFederate as an authentication type in the Cloud Identity Engine app.
- SelectAuthentication Typesand clickAdd New Authentication Type.
- Set UpaSAML 2.0authentication type.
- Enter aProfile Name.
- SelectPingFederateas yourIdentity Provider Vendor.
- Select the method you want to use toAdd MetadataandSubmitthe IdP profile.
- If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
- In PingFederate, selectto copy theSystemOAuth SettingsProtocol SettingsBase URLandSAML 2.0 Entity.
- Copy the necessary information from PingFederate and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:Copy or Download From PingFederateEnter in Cloud Identity Engine IdP ProfileCopy theSAML 2.0 EntityID.Enter it as theIdentity Provider ID.Copy theBase URL.Enter the URL as theIdentity Provider SSO URL.
- In PingFederate, selecttoSecuritySigning & Decryption Keys & CertificatesExportthe certificate you want to use.
- In the Cloud Identity Engine app,Click to Uploadthe PingFederate certificate.
- Select theHTTP Binding for SSO Request to IdPmethod you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (HTTP Redirect, which transmits SAML messages through URL parameters orHTTP Post, which transmits SAML messages using base64-encoded HTML).
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- If you want to upload a metadata file, download the metadata file from your IdP management system.
- Locate the metadata file from the first step.
- In the Cloud Identity Engine app,Click to Uploadthe metadata file, thenOpenthe metadata file.
The Cloud Identity Engine does not currently support theGet URLmethod for PingFederate. - Test SAML setupto verify the profile configuration.This step is required to confirm that your firewall and IdP can communicate.
- If your IdP is configured to require users to log in using multi-factor authentication (MFA), selectMulti-factor Authentication is Enabled on the Identity Provider.
- Select the SAML attributes you want the firewall to use for authentication andSubmitthe IdP profile.
- In the Cloud Identity Engine, select theUsername Attribute.
- (Optional) Select theUsergroup Attribute,Access Domain,User Domain, andAdmin Role.