Configure PingFederate to Connect to Software AG Cloud as the SAML Identity Provider

Introduction

Setting up SSO in the Software AG Cloud (SAG Cloud) with PingFederate as the Identity Provider (IdP) is a process that requires some setup in both environments. It requires information from both environments, so it makes sense to open two browser windows from the beginning to follow the process.

The documentation related to the topic at hand is scattered across sites (PingFederate and Software AG) and some information is seemingly mentioned only in passing without concrete examples - something that can lead one to misconfigure it and then must spend time researching and fixing it.

With this short article, I am hoping to condense all relevant information in one location. This article is meant to provide a cheat sheet but does not replace the official documentation in any way.

The process described here has been certified with the PingOne as an Identity store. The process involves the following steps:

1. Add PingOne as Datastore in PingFederate.
2. Add Password Credential Validators in PingFederate.
3. Add and configure Identity Provider Adapter in PingFederate.
4. Add and configure Software AG Cloud as Service Provider in PingFederate
5. Downloading IdP Metadata file
6. Importing IdP Metadata and configuring Software AG Cloud

Pre-requisites

• You require a SAG Cloud tenant and a user with admin access to the tenant.

• You require an active PingIdentity account.

• You should have user identities setup in your PingIdentity account.

Basic Preparation before configuring Software AG Cloud and Ping Federate

• Setup PingIdentity to manage group membership

  1. Login to your PingIdentity account
  2. To add a group, from the main menu select Connections > Identities > Groups.
  3. From the Groups page, select the + (plus) sign.
     
     The Create New Group page appears
  4. In Group Name and description field enter your group name (for us in this example it will be
     SAG_WMIO_USERS) and its description and click Save.
     
  5. To add users to this group, click on Users tab on group details page and click Add
     Individually
     
     

     image775×290 31.3 KB
  6. Select users which you want to be part of this group and click Save.
     
     

     image773×358 28.9 KB

• Add PingFederate server in your PingIdentity account
  1. Click on PingFederate in main menu and click Add Connection
  

  

  image1115×452 22.6 KB
  
  2. In Create Connection Profile page enter Connection Name, Description and
  Save and Continue
  
  

  image1586×819 25.3 KB
  
  3. Copy the credential at safe place as this will be used while setting up PingFederate
  
  

  image1511×798 101 KB

• Install and deploy PingFederate Server. The following link provides all the information you
  need to deploy PingFederate.

  Installing and uninstalling PingFederate

• Setting up PingFederate. The following link provides all the information you need to set up
  PingFederate.

  Setting up PingFederate

Add PingOne as Datastore in PingFederate.

• Click System > External Systems
  

  

  image1918×782 68.3 KB

• Click Add Connection and paste the PingOne credential copied in one of the above step
  and click Save.

• Click System > DataStores in PingFederate home page
  

  

  image1920×759 70.6 KB

• Click Add New Data Store
  

  

  image1417×540 29.5 KB

• Enter Name as “PingOne” and select Type as “PingOne Data Store 2.4.1” and click Next
  

  

  image1304×527 35.2 KB

• In Configure Data Store Instance select PINGONE ENVIRONMENT.
  This should be the PingOne DataStore we configured above and click Next.
  

  

  image1630×763 50.1 KB

• In Actions click Test Connection and test connection to your PingOne account and click
  Next

• In Summary verify the details and click Save.

Add Password Credential Validators for your PingOne Data Store

• Click Password Credential Validators and click Create New Instance
  

  

  image1790×526 40.7 KB

• Enter INSTANCE NAME, INSTANCE ID and TYPE as shown below and click
  Next.
  

  

  image1901×679 52.8 KB

• In Instance Configuration select PINGONE DATASTORE. This should be the
  DataStore setup above and click Next.

• In Extend Contract click Next.

• In Summary verify the details and click Save.

Add and configure IdP Adapter in PingFederate

• Select Authentication > IdpAdapters
  

  

  image705×197 51.8 KB

• Select IdpAdapters and click Create New Instance.

• Do the following in the Type tab:
  a. Enter the Instance Name, Instance ID values.
  b. Select HTML Form Idp Adapter in the Type drop-down list.
  

  

  image744×228 40.8 KB

• Click Next. The IdpAdapter page appears.

• Do the following in the IdpAdapter tab:
  a. Click Add a new row to 'Credential Validators and select one of the credential validator
  step 2.
  b. Click Update.
  c. Leave other configurations as default.

• Click Next. The Extended Contract tab appears.

• Add the additional attributes that must be retrieved from the configured user identity store.
  

  

  image780×261 53.3 KB

• Click Next. The Adapter Attributes tab appears, select the values that you want to use
  in constructing this unique identifier and click Next.
  

  

  image809×399 81.1 KB

• In Adapter Contract Mapping tab click Next

• The Summary tab appears.

• Review the configurations set and click Save. The IdP Adapter is configured.

Add Service Provider configuration in PingFederate

• Click Applications > SP Connections.
  

  

  image1912×457 36.7 KB

• Select SP Connections from main menu and click Create Connection
  

  

  image1380×559 26.9 KB

• In Connection Template keep setting as default (DO NOT USE A TEMPLATE FOR THIS CONNECTION) and click Next.

• In Connection Type select BROWSER SSO PROFILES and click Next.

• In Connection Options select BROWSER SSO and click Next.

• In Import Metadata select File if you use Service Provider Metadata file. Otherwise, select None and click Next.

• In General Info enter the EntityID and Connection Name information and click
  Next.
  

  

  image1882×588 65.6 KB

  The Entity ID format is,
  {{Hostname}}/auth/realms/{{realm_name}}

• In Browser SSO click Configure Browser SSO and enter the browser SSO
  configuration information.
  

  

  image1910×547 48.7 KB

• In SAML Profiles select SP-INITIATED SSO and SP-INITIATED SLO and click
  Next.
  

  

  image715×205 50.3 KB

• In Assertion Lifetime keep settings as default and click Next.

• In Assertion Creation click Configure Assertion Creation and enter assertion creation
  configuration.
  

  

  image730×290 59.5 KB

• In Identity Mapping keep settings as default and click Next.
  

  

  image975×357 105 KB

• In Attribute Contract enter the set of user attributes that this server must send in the
  assertion and click Next.
  

  

  image975×329 86.4 KB

• In Authentication Source Mapping map an adapter instance for each IDM system or an
  authentication policy contract for each policy.

• Click Map New Adapter Instance and enter Idp Adapter Mapping.

• In Adapter Instance select an Idp Adapter configured in step Configure your Idp
  Adapters and click Next.
  

  

  image1912×874 65.1 KB

• In Mapping Method keep settings as default and click Next.

• In Attribute Contract Fulfillment fulfill your Attribute Contract with values from the authentication adapter and click Next.
  

  

  image884×308 65.5 KB

• In Issuance Criteria click Next and verify the Idp Adapter Mapping configuration
  summary, click Done. You are redirected to Assertion creation Configuration.

• Click Next and verify the configuration summary and click Done. You are redirected to
  Browser SSO configuration and click Next.

• In Protocol Settings click Configure Protocol Settings and enter Protocol Settings
  configuration.
  

  

  image1905×612 53 KB

• In separate tab login to your Software AG Cloud account.

• Select Administration

• Click Single sign-on and Add identity provider. The Add identity provider wizard
  appears.
  

  

  image1899×593 24.1 KB

• Enter your identity provider name and unique identifier details in the Identity provider display
  name and Identity provider identifier for use in Software AG Cloud redirect URI fields.

Copy or make a note of the value displayed in the Software AG Cloud redirect URI field.

image976×848 49 KB

• Switch back to PingFederate tab in your browser

• In Assertion Consumer Service URL, check box for default, index as 1, Binding as
  POST and enter Software AG Cloud redirect URI from Software AG Cloud tab in
  Endpoint URL and click Add
  

  

  image975×226 65.9 KB

• In SLO Service URLs select Binding as POST and enter Software AG Cloud redirect
  URI from Software AG Cloud tab in Endpoint URL click Add and then click Next.

• In Allowable SAML Bindings check POST and REDIRECT bindings and click
  Next.

• In Signature Policy choose the sign assertions to SP and click Next.
  

  

  image975×284 80.8 KB

• In Encryption Policy keep settings as default and click Next.

• In Summary verify the configurations and click Done. You are redirected to
  SP connection configuration page, click Next.

• In Credentials click Configure Credentials.

• In Digital Signature Settings click Manage Certificate.
  Here, establish and maintain your server’s signing certificates that are used to sign assertions,
  security tokens, requests, and responses.
  

  

  image1916×669 59.8 KB

• Click Create New if you want to create a self-signed certificate, else click Import if you
  have authorized CA signed certificate. For this example, we are listing steps to create a new
  self-signed certificate.
  1. Click Create New
  2. In COMMON NAME enter the hostname field from Software AG Cloud redirect
  URI from Software AG Cloud tab.
  3. Fill in ORGANIZATION and COUNTRY and click Next.
  4. Click Select Action > Export to download this self-signed certificate.
  

  

  image1915×563 53.5 KB

• In SIGNING CERTIFICATE select the newly created/imported certificate and click Next.

• In Signature Verification Settings click Manage Signature Verification Settings.
  1. In Trust Model select an option based on type of certificate.
  
  2. In Signature Verification Certificate click Manage Certificates and Import the
  certificate downloaded in above step, click Next and click Save.
  3. Click Done in Certificate Management page, you will be redirected to
  Signature Verification Certificate page.
  4. In Summary page click Done . You will be redirected to Credentials summary
  page , click Done.

• In Activation & Summary verify the details and click Save.

• You Service Connection details is configured and saved.

Download IdP Metadata file

• You can download your Identity Provider metadata by clicking on Select Action > Export
  Metadata
  

  

  image1894×591 51.3 KB

• Select certificate from your Signing Certificate drop-down list. Click Next and click Export to download your identity provider metadata.

Importing IdP Metadata and configuring Software AG Cloud

• Switch back to Software AG Cloud tab in your browser on SSO Configuration page.

• Select Import configuration from file and browse to the IdpMetadata.xml file path and
  click **Next.
  

• In Configuration tab review the configuration and click Next.

• In Attributes tab create a mapping for attributes that must be retrieved from saml assertion
  and click Next.
  

• In Roles tab assign a default-role to all onboarded user or creates a mapping between
  Software AG Cloud role to identity provider role and click Save
  

  

  image999×847 45.1 KB

Testing SSO from Software AG Cloud

• Open a browser tab and access the SAG Cloud tenant login page.
• Click on “Login”
• You should now be presented with a page where you can either log in using username/
  password, or the new SAML SSO IDP that you just created:
  
• Click on the new SAML SSO link and provide the login credentials - you should be redirected
  to the Ping Federate.