In order to set up single sign on with PingId provider, you’ll need to create two applications in your PingId environment:
- OAUTH2 WORKER application for groups’ synchronization
- SAML application for users’ authentication
Order
The order of actions is essential to not lose control over your SAFEQ Cloud account
- Set up authentication provider
- Do initial groups’ synchronization for your Ping authentication provider
- Create Access Control records for the imported groups. Make sure that you will retain administrative role in SAFEQ Cloud when you’ll log in using your PingId identity (i.e. don’t forget to create access control records with Administrators role for the group that you are a member of)
- Set up SAML
OAuth2 configuration
Before you begin using your Single Sign-On authentication, you may want to synchronize groups and configure their access (see Access Control).
Groups synchronization with PingId is done using OAuth2 authentication of the user with administrative privileges for worker application that we configure in this chapter. First of all, create the worker application:
Then, configure the application with the following settings:
Under Configuration page
- Response type:
Code - Redirect URIs:
http://127.0.0.1:7311/oidc/callback,https://acme.eu.eophcp.com:8443/callback/ping(where acme.eu.eophcp.com is the account domain name of HCP server) - Grant type:
Authorization code,Refresh token - Token endpoint authentication:
None
Note that the redirect URL with 127.0.0.1 is necessary for the PC client to work correctly with Ping authentication.
Under Resources page
- Scope grants:
email (openid),profile (openid)
Under Attribute mappings page
Username = sub
For security reasons it is essential to remove any roles from this application. It will make impossible to use it without OAuth2 token, which is never stored anywhere and acquired only in interactive mode.
Now that PingId-side configuration is all done, you can register and configure authentication provider in SAFEQ Cloud:
Save the authentication provider and open it back for view. You’ll see SYNC GROUPS button. After clicking it, new tab will be opened with PingId authentication form. You’ll have to authenticate with credentials of user that has enough privileges to read groups. Follow on-screen instructions and in a while, after new tab is closed, you are going to see that groups synchronization is complete:
SAML configuration
In this example we assume that domain name for SAFEQ Cloud application is testaccount1.
Configuring your PingId SAML application you have to set up redirect url, which is https://_yourdomain_:8443/assertion/saml
Then, on the same page it is necessary to fill out a unique Entity ID. The rule of thumb is to use your domain, which is supposed to be unique
Next step is to create attribute mappings:
| PingId attribute | Mapped name |
|---|---|
| Given Name | fname |
| Family Name | lname |
| Groups IDs | group_membership |
| Group Names | group_membership_names |
Now, when PingId part of configuration is done, you can download the metadata file
This file contains all necessary information for SAML configuration including generated by PingId certificate for assertion verification. Place this file in your /conf folder and set up Single Sign-On in your SAFEQ Cloud application:
SSO issuer ID should be the same string that you entered as Entity ID in your PingId application configuration (here https://testaccount1)
Now you are ready to test your single sign-on. Each time that user will log in to SAFEQ Cloud using it, his Given/Family names and group membership will be synchronized with PingId.
Don’t forget to use SYNC GROUPS button each time that you change groups on PingId.
Post your comment on this topic.