Configuring PingFederate as an Identity Provider

Page last updated:

This topic explains how to configure single sign-on (SSO) between PingFederate and Pivotal Application Service (PAS).

Overview

Partnership creation between PingFederate and PAS involves the following steps:

  1. Configuring PingFederate as an identity provider (IDP). For more information, see Configure PingFederate as the SAML Identity Provider for PAS.

  2. Configuring the service provider (SP). For more information, see Configure PAS as the SAML Service Provider for PingFederate.

Configure PingFederate as the SAML Identity Provider for PAS

To configure PingFederate as the SAML IDP for your PAS tile:

  1. Download your IDP metadata from PingFederate Server:

    1. Log in to PingFederate Administrative Console.
    2. Select Administrative Functions.
    3. Click Metadata Export.
    4. If your PingFederate server is configured to act as both an IDP and an SP, indicate which type of configuration you want to export. The Signing key can be exported. You can skip the options related to encryption keys and metadata attribute contract because they are not supported at this time.
    5. Click Next.
  2. Follow the procedure in Configure PAS as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for PAS to set the IDP metadata on PAS.

Configure PAS as the SAML Service Provider for PingFederate

To configure PAS as the SAML SP for PingFederate:

  1. Download the SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.

  2. Save the SP metadata to an XML file.

  3. Import the SP metadata to PingFederate:

    1. Log in to PingFederate Administrative Console.
    2. Under Main Menu, select IdP Configuration.
    3. Select SP Connection.
    4. Click Import.
    5. In the Import Connection screen, browse and select the .xml file downloaded in the previous step.
    6. Click Import.
    7. Click Done.
  4. PAS expects the NameID format to be an email address, such as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, and the value to be the email address of the currently logged-in user. The SSO does not function without this setting.

    1. Under Main Menu, click the connection name. To see a full list of connections, click Manage All SP.
    2. Under the SP Connection, select Browser SSO.
    3. Click Configure Browser SSO.
    4. Under Browser SSO, select Assertion Creation.
    5. Select Configure Assertion Creation.
    6. On the Summary screen, select Identity Mapping.
    7. Select Standard.
    8. For the NameID format, select Email Address and enter the email address of the user.
  5. Select the Authentication Source:

    1. Under the SP Connection, select Browser SSO.
    2. Select Configure Browser SSO.
    3. Under Browser SSO, select Assertion Creation.
    4. Select Configure Assertion Creation.
    5. On the Summary screen, select IdP Adapter Mapping.
    6. Select Adapter Instance Name.
    7. On the Summary screen, select Adapter Instance.
  6. Enable the SSO Browser Profiles:

    1. Under SP Connection, select Browser SSO.
    2. Select Configure Browser SSO.
    3. On the Summary screen, select SAML Profiles.
    4. Ensure that the IdP-Initiated SSO and SP-Initiated SSO checkboxes are enabled.

      Note: PAS does not support SLO profiles at this time. You can leave them disabled.

  7. Activate the SP Connection.