PingOne for Customers IdP for SAML Integration

Overview

This guide provides an example on how to configure PingOne for Customers as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., PingOne for Customers) for authentication.

Before configuring SAML integration between Aviatrix and PingOne for Customers, make sure you have a valid PingOne for Customers account with administrator access.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your PingOne for Customers IdP:

Step 1. Create a temporary Aviatrix SP Endpoint in the Aviatrix Controller

Step 2. Create a PingOne Web SAML App for Aviatrix in the PingOne for Customers Portal

Step 3. Retrieve PingOne IdP metadata URL

Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller

Step 5. Test the Integration is Set Up Correctly

Step 1. Create an Aviatrix SP Endpoint

Visit one of the following links based on your use case and follow step1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link’s Configuration section:

If integrating PingOne IdP with Controller Login SAML Config

If integrating PingOne IdP with OpenVPN with SAML Authentication

Step 2. Create a PingOne Web SAML App for Aviatrix

Note

This step is usually done by the PingOne for Customers Admin.

  1. Login to the PingOne Admin portal

  2. Follow PingOne documentation to add a Web SAML application

  3. On the top of the page, click Connections.

  4. On the left, click Applications and then + Application.

    pingone_idp_adding_web_saml_app_01

  5. Click WEB APP, and then for SAML, click Configure.

    pingone_idp_adding_web_saml_app_02

  6. Create the application profile by entering the following information:

    Field Value
    Application name A unique identifier for the application.
    Description (optional)A brief characterization of the application.
    Icon (optional)A pictorial representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
  7. For Configure SAML Connection, enter the following:

    Field Value
    ACS URLs https://[host]/flask/saml/sso/[Endpoint Name]
    Signing certificate PingOne SSO Certificate for Default environment
    Signing Sign Assertion
    Signing Algorithm RSA_SHA256
    Encryption DISABLED
    Entity ID https://[host]/
    SLO endpoint Not Specified
    SLO response endpoint Not Specified
    SLO binding HTTP POST
    Assertion validity duration 300
    Target Application URL Not Specified
    Enforce signed Authn request Disabled
    Verification certificate No Verification Certificates Selected

    Note

    [host] is the hostname or IP of your Aviatrix controller. For example, https://controller.demo.aviatrix.live

    [Endpoint Name] is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller.

    [Entity ID] is using https://[host]/ as default if you select Hostname option when configuring SAML in the Aviatrix controller.

    pingone_idp_configuring_saml_connection

  8. Click Save and Continue.

  9. For attribute mapping, click the button “+ADD ATTRIBUTE” and then select “PingOne Attribute” to map PingOne user attribute to an attribute in this application as below.

    PINGONE USER ATTRIBUTE APPLICATION ATTRIBUTE
    User ID saml_subject
    Given Name FirstName
    Family Name LastName
    Email Address Email

    Note

    Notes: User ID is a default required in PingOne

    pingone_idp_configuring_attribute_mapping

  10. Click Save and Close.

  11. Enable the WEB SAML APP

    pingone_idp_enable

Step 3. Retrieve PingOne IdP metadata

Note

This step is usually completed by the PingOne for Customers admin.

  1. After the application is created in PingOne, click Connections on the top of the page and then click Applications on the left.
  2. Locate the Web SAML application that we just created.
  3. Click the details icon to expand the Web SAML application and then click the button “Configuration”.
  4. Copy the URL from the IDP Metadata URL from the CONNECTION DETAILS. This value will be used to configure the Aviatrix SP Endpoint.
pingone_idp_retrieve_idp_metadata_url

Step 4. Update Aviatrix SP Endpoint

Note

This step is usually completed by the Aviatrix admin. PineOne IdP provides IdP Metadata through URL obtained in Retrieve PingOne IdP metadata URL step. PingOne for Customers IdP requires a custom SAML request template.

Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:

  1. If integrating PineOne IdP with Controller Login SAML Config

  2. If integrating PineOne IdP with OpenVPN with SAML Authentication

    Field Value
    Endpoint Name [Endpoint Name] (Use the same name you entered in the PingONe Application previously)
    IdP Metadata Type URL
    IdP Metadata URL URL copied from PingOne (IdP metadata URL)
    Entity ID Select Hostname
    Custom SAML Request Template Check the box and either copy the below format into the prompt text box or modify it

    pingone_idp_reformat_custom_saml_request_template

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="$ID" Version="2.0" IssueInstant="$Time" Destination="$Dest" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="$ACS">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">$Issuer</saml:Issuer>
   <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="$SPNameQualifier" AllowCreate="true"></samlp:NameIDPolicy>
   <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Step 5. Test the Integration

Continue with testing the integration by visiting one of the following links based on your use case:

  1. If integrating PingOne IdP with Controller Login SAML Config
    1. Click Settings in the left navigation menu
    2. Select Controller
    3. Click on the SAML Login tab
  2. If integrating PingOne IdP with OpenVPN with SAML Authentication
    1. Expand OpenVPN® in the navigation menu and click Advanced
    2. Stay on the SAML tab

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.

OpenVPN is a registered trademark of OpenVPN Inc.