Configure PingFederate as an IdP in the Cloud Identity Engine

  1. Prepare the metadata for the Cloud Identity Engine app in PingFederate.
    1. If you have not already done so, activate the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select
      Authentication
      SP Metadata
      Download SP Metadata
      and
      Save
      the metadata in a secure location.
    3. Log in to PingFederate and select
      System
      SP Affiliations
      Protocol Metadata
      Metadata Export
      .
    4. Select
      I am the Identity Provider (IdP)
      then click
      Next
      .
    5. Select information to include in metadata manually
      then click
      Next
      .
    6. Select the
      Signing key
      you want to use then click
      Next
      .
    7. Ensure that
      SAML 2.0
      is the protocol then click
      Next
      .
    8. Click
      Next
      as you do not need to define an attribute contract.
    9. Select the
      Signing Certificate
      and that you want to
      Include this certificate’s public key certificate in the <key info> element
      .
    10. Select the
      Signing Algorithm
      you want to use then click
      Next
      .
    11. Select the same certificate as the
      Encryption certificate
      then click
      Next
      .
    12. Review the metadata to verify the settings are correct then
      Export
      the metadata.
  2. Add an IdP Provider profile in the Cloud Identity Engine app.
    1. Select
      Authentication
      Identity Providers
      .
    2. Click
      Add IDP Provider
      .
    3. Enter a
      Profile Name
      .
    4. Select
      PingFederate
      as your
      IdP Vendor
      .
  3. Select the method you want to use to
    Add Metadata
    and
    Submit
    the IdP profile.
    • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
      1. In PingFederate, select
        System
        OAuth Settings
        Protocol Settings
        to copy the
        Base URL
        and
        SAML 2.0 Entity
        .
      2. Copy the necessary information from PingFederate and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
        Copy or Download From PingFederate
        Enter in Cloud Identity Engine IdP Profile
        Copy the
        SAML 2.0 Entity
        ID.
        Enter it as the
        Identity Provider ID
        .
        Copy the
        Base URL
        .
        Enter the URL as the
        Identity Provider SSO URL
        .
      3. In PingFederate, select
        Security
        Signing & Decryption Keys & Certificates
        to
        Export
        the certificate you want to use.
      4. In the Cloud Identity Engine app,
        Click to Upload
        the PingFederate certificate.
      5. Select the
        HTTP Binding for SSO Request to IdP
        method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
        HTTP Redirect
        , which transmits SAML messages through URL parameters or
        HTTP Post
        , which transmits SAML messages using base64-encoded HTML).
      6. Specify the
        Maximum Clock Skew (seconds)
        , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    • If you want to upload a metadata file, download the metadata file from your IdP management system.
      1. Locate the metadata file from the first step.
      2. In the Cloud Identity Engine app,
        Click to Upload
        the metadata file, then
        Open
        the metadata file.
    The Cloud Identity Engine does not currently support the
    Get URL
    method for PingFederate.
  4. Test SAML setup
    to verify the profile configuration.
    This step is required to confirm that your firewall and IdP can communicate.
  5. If your IdP is configured to require users to log in using multi-factor authentication (MFA), select
    MFA is enabled on the IDP
    .
  6. Select the SAML attributes you want the firewall to use for authentication and
    Submit
    the IdP profile.
    1. In the Cloud Identity Engine, select the
      Username Attribute
      .
    2. (Optional) Select the
      Usergroup Attribute
      ,
      Access Domain
      ,
      User Domain
      , and
      Admin Role
      .

Recommended For You