SAML2 and Ping Federate

We share advice on using Ping Federate as an industry-standard SAML2 Identity Provider.

For all true support questions regarding Ping Identity – or any non-Intercax provider of SAML2 service – please contact the vendor directly through their formal Support programs.

Because Ping Federate is more of a broker, than a provider, of Identity Management services, the configuration of Ping Federate involves more stages than may be typical in other more comprehensive, intrinsic IdPs.

Configuration of a Service Provider Connection within Ping Federate involves:

1 General Settings for a Ping Federate Service Provider (SP Connection)
2 SAML Profiles
3 Attribute Sources & User Lookup
4 Protocol Settings
5 Credentials

Intercax does not advise how your organization should configure your Ping Federate service and nor does it give detailed descriptions for how one chooses and configures the individual stages of an SP Connection integration.

Intercax does show the summary configuration for what it uses for its own Syndeia deployments where Syndeia is the SAML2 SP, Ping Federate is the SAML2 IdP, and OpenLDAP is Ping Federate’s delegated user Data Store.

General Settings for a Ping Federate Service Provider (SP Connection)

Connection Type
Connection Role	SP
Browser SSO Profiles	true
Protocol	SAML 2.0
Connection Template	No Template
WS-Trust STS	false
Outbound Provisioning	false
Connection Options
Browser SSO	true
IdP Discovery	false
Attribute Query	false
General Info
Partner's Entity ID (Connection ID)	http://MYSP.MYCOMPANY.MYCOM:MYPORT
Connection Name	MYSP.MYCOMPANY.MYCOM
Company	Intercax
Contact Name	Name of Admin
Contact Number	555-555-1212
Contact Email	admin@mycompany.mycom
Application Name	MYSP.MYCOMPANY.MYCOM

SAML Profiles

SAML Profiles
IdP-Initiated SSO	false
IdP-Initiated SLO	false
SP-Initiated SSO	true
SP-Initiated SLO	false
Assertion Lifetime
Valid Minutes Before	5
Valid Minutes After	5
Assertion Creation
Identity Mapping
Enable Standard Identifier	true
Attribute Contract
Attribute	SAML_SUBJECT
Subject Name Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Attribute	email
Attribute Name Format	urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Attribute	first_name
Attribute Name Format	urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Attribute	fullname
Attribute Name Format	urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Attribute	last_name
Attribute Name Format	urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Attribute	uid
Attribute Name Format	urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Authentication Source Mapping
Adapter instance name	SP-used-HTML-Form-IdP-Adapter
Adapter Instance
Selected adapter	SP-used-HTML-Form-IdP-Adapter
Mapping Method
Adapter	HTML Form IdP Adapter
Mapping Method	Retrieve additional attributes from multiple data stores using one mapping
Attribute Sources & User Lookup
Data Store	LDAP Source (LDAP)

Attribute Sources & User Lookup

Data Store
Attribute Source	LDAP Source
Attribute Source ID	attributeSourceId1
Type of Data Store	LDAP
Data Store	MYLDAP.MYCOMPANY.MYCOM (OpenLDAP)
LDAP Directory Search
Base DN	ou=MYUSERS,dc=MYCOMPANY,dc=MYCOM
Search scope	SUBTREE_SCOPE
Attribute	Subject DN
Attribute	displayName
Attribute	givenName
Attribute	mail
Attribute	sn
Attribute	uid
LDAP Filter
Filter	(uid=${username})
Attribute Contract Fulfillment
SAML_SUBJECT	mail (LDAP)
email	mail (LDAP)
first_name	givenName (LDAP)
fullname	displayName (LDAP)
last_name	sn (LDAP)
uid	uid (LDAP)
Issuance Criteria
Criterion	(None)

Protocol Settings

Assertion Consumer Service URL
Endpoint	URL: http://MYSP.MYCOMPANY.MYCOM:MYPORT/authenticate/SAML2 (POST)
Allowable SAML Bindings
Artifact	false
POST	true
Redirect	true
SOAP	false
Signature Policy
Require digitally signed AuthN requests	false
Always Sign Assertion	true
Sign Response As Required	true
Encryption Policy
Status	Inactive

Credentials

Digital Signature Settings
Selected Certificate	01:82:BE:EF:69:A2 (CN=Product, OU=Team, O=Company, L=City, ST=State, C=US)
Include Certificate in KeyInfo	true
Include Raw Key in KeyValue	false
Selected Signing Algorithm	RSA SHA256