LATEST VERSION: 2.1 - CHANGELOG
Pivotal Cloud Foundry v1.12

Configuring PingFederate as an Identity Provider

Page last updated:

This topic explains how to configure single sign-on (SSO) between PingFederate and Pivotal Cloud Foundry (PCF).

Configuring PingFederate as the SAML 2.0 Identity Provider on PCF

  1. Download your Identity Provider Metadata from PingFederate Server. Click Metadata Export under Administrative Functions on the Main Menu of the PingFederate Administrative Console. If your PingFederate server is configured to act as both an Identity Provider (IdP) and a service provider (SP), indicate which type of configuration you want to export and click Next. The Signing key can be exported. You can skip the options related to Encryption Keys and Metadata Attribute Contract because they are not supported at this time.
  2. Follow the steps in Configuring Authentication and Enterprise SSO for Elastic Runtime to set your IdP metadata on PCF.

Configuring PCF as the SAML 2.0 Service Provider on PingFederate

  1. Download your Service Provider Metadata from https://login.YOUR-SYSTEM-DOMAIN/saml/metadata.
  2. Import the Service Provider Metadata to PingFederate. Navigate to Main MenuIdP ConfigurationSP Connection and click Import. In the Import Connection screen, browse and select the .xml file downloaded in the previous step. Click Import and Done.
  3. PCF expects the NameID format to be an email address (for example, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the value to be the email address of the currently logged in user. The SSO does not function without this setting.
    1. Click the connection name on Main Menu. To see a full list of connections, click Manage All SP.
    2. Click Browser SSO under the SP Connection tab.
    3. Click Configure Browser SSO.
    4. Click Assertion Creation under the Browser SSO tab.
    5. Click Configure Assertion Creation.
    6. Click Identity Mapping on the Summary screen.
    7. Select Standard as the option and map the NameID format to be an email address and the value to be the email address of the user.
  4. Select the Authentication Source.
    1. Click Browser SSO under the SP Connection tab.
    2. Click Configure Browser SSO.
    3. Click Assertion Creation under the Browser SSO tab.
    4. Click Configure Assertion Creation.
    5. Click IdP Adapter Mapping on the Summary screen.
    6. Click Adapter Instance Name.
    7. Click Adapter Instance on the Summary screen.
  5. Enable the SSO Browser Profiles.

    1. Click Browser SSO under the SP Connection tab.
    2. Click Configure Browser SSO.
    3. Click SAML Profiles on the Summary screen.
    4. Ensure that IdP & SP initiated SSO are selected.

    Note: PCF does not support SLO profiles at this time, and you can leave them unchecked.

  6. Activate the SP Connection.

Create a pull request or raise an issue on the source for this page in GitHub