forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathping-federate-sso-configuration.html.md.erb
42 lines (34 loc) · 3 KB
/
ping-federate-sso-configuration.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
---
title: Configuring PingFederate as an Identity Provider
owner: Identity
---
This topic explains how to configure single sign-on (SSO) between PingFederate and Pivotal Application Service (PAS).
## <a id='pas'></a>Configuring PingFederate as the SAML 2.0 Identity Provider on PAS
1. Download your Identity Provider Metadata from PingFederate Server. Click **Metadata Export** under **Administrative Functions** on the Main Menu of the PingFederate Administrative Console. If your PingFederate server is configured to act as both an Identity Provider (IdP) and a service provider (SP), indicate which type of configuration you want to export and click **Next**. The Signing key can be exported. You can skip the options related to Encryption Keys and Metadata Attribute Contract because they are not supported at this time.
1. Follow the steps in [Configuring Authentication and Enterprise SSO for PAS](./auth-sso.html#configure-pcf-for-saml) to set your IdP metadata on PAS.
## <a id='ping-federate'></a>Configuring PAS as the SAML 2.0 Service Provider on PingFederate
1. Download your Service Provider Metadata from `https://login.YOUR-SYSTEM-DOMAIN/saml/metadata`.
1. Import the Service Provider Metadata to PingFederate. Navigate to **Main Menu** → **IdP Configuration** → **SP Connection** and click **Import**. In the **Import Connection** screen, browse and select the `.xml` file downloaded in the previous step. Click **Import** and **Done**.
1. PAS expects the NameID format to be an email address (for example, `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`) and the value to be the email address of the currently logged in user. The SSO does not function without this setting.
1. Click the connection name on **Main Menu**. To see a full list of connections, click **Manage All SP**.
1. Click **Browser SSO** under the **SP Connection** tab.
1. Click **Configure Browser SSO**.
1. Click **Assertion Creation** under the **Browser SSO** tab.
1. Click **Configure Assertion Creation**.
1. Click **Identity Mapping** on the **Summary** screen.
1. Select **Standard** as the option and map the NameID format to be an email address and the value to be the email address of the user.
1. Select the Authentication Source.
1. Click **Browser SSO** under the **SP Connection** tab.
1. Click **Configure Browser SSO**.
1. Click **Assertion Creation** under the **Browser SSO** tab.
1. Click **Configure Assertion Creation**.
1. Click **IdP Adapter Mapping** on the **Summary** screen.
1. Click **Adapter Instance Name**.
1. Click **Adapter Instance** on the **Summary** screen.
1. Enable the SSO Browser Profiles.
1. Click **Browser SSO** under the **SP Connection** tab.
1. Click **Configure Browser SSO**.
1. Click **SAML Profiles** on the **Summary** screen.
1. Ensure that IdP & SP initiated SSO are selected.
<p class='note'><strong>Note</strong>: PAS does not support SLO profiles at this time, and you can leave them unchecked.</p>
1. Activate the SP Connection.