Configure PingFederate as an IdP in the Cloud Identity Engine
Prepare the metadata for the Cloud Identity
Engine app in PingFederate.
If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Authentication
SP Metadata
Download SP Metadata
and
Save
the
metadata in a secure location.
Log in to PingFederate and select
System
SP Affiliations
Protocol Metadata
Metadata Export
.
Select
I am the Identity Provider (IdP)
then
click
Next
.
Select information to include in metadata manually
then
click
Next
.
Select the
Signing key
you
want to use then click
Next
.
Ensure that
SAML 2.0
is the
protocol then click
Next
.
Click
Next
as you do not need
to define an attribute contract.
Select the
Signing Certificate
and that
you want to
Include this certificate’s public key certificate
in the <key info> element
.
Select the
Signing Algorithm
you want
to use then click
Next
.
Select the same certificate as the
Encryption certificate
then
click
Next
.
Review the metadata to verify the settings are correct
then
Export
the metadata.
Add PingFederate as an authentication type in the Cloud
Identity Engine app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
PingFederate
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In PingFederate, select
System
OAuth Settings
Protocol Settings
to
copy the
Base URL
and
SAML 2.0
Entity
.
Copy the necessary information from PingFederate and enter it
in the IdP profile on the Cloud Identity Engine app as indicated
in the following table:
Copy or Download From PingFederate
Enter in Cloud Identity Engine IdP Profile
Copy the
SAML 2.0 Entity
ID.
Enter it as the
Identity Provider ID
.
Copy the
Base URL
.
Enter the URL as the
Identity Provider
SSO URL
.
In PingFederate, select
Security
Signing & Decryption Keys & Certificates
to
Export
the certificate
you want to use.
In the Cloud Identity Engine app,
Click to Upload
the
PingFederate certificate.
Select the
HTTP Binding for SSO Request to IdP
method
you want to use for the SAML binding that allows the firewall and
IdP to exchange request and response messages (
HTTP Redirect
,
which transmits SAML messages through URL parameters or
HTTP
Post
, which transmits SAML messages using base64-encoded
HTML).
Specify the
Maximum Clock Skew (seconds)
, which
is the allowed difference in seconds between the system times of the
IdP and the firewall at the moment when the firewall validates IdP messages
(default is 60; range is 1–900). If the difference exceeds this value,
authentication fails.
If you want to upload a metadata file, download the metadata
file from your IdP management system.
Locate the metadata
file from the first step.
In the Cloud Identity Engine app,
Click to Upload
the
metadata file, then
Open
the metadata file.
The
Cloud Identity Engine does not currently support the
Get
URL
method for PingFederate.
Test SAML setup
to verify the
profile configuration.
This step
is required to confirm that your firewall and IdP can communicate.
If your IdP is configured to require users to log in
using multi-factor authentication (MFA), select
Multi-factor
Authentication is Enabled on the Identity Provider
.
Select the SAML attributes you want the firewall to use
for authentication and
