Setup PingOne for Customers web SAML app with Profile Attribute

This guide demonstrates the use of the Profile attribute in PingOne for Customers so each SAML user can be assigned a different VPN profile.

How VPN profile works

The VPN profiles defined at the Controller/OpenVPN/Profiles contain egress control policy. They are attached to the VPN users defined at Controller/OpenVPN/VPN Users for controlling their VPN egress traffic. Users without a profile is the same as having a profile with an allow-all policy, i.e., their egress traffic are unrestricted.

For SAML VPN, the SAML user definition at the IDP has a Profile attribute for specifying a VPN profile, overriding the corresponding user’s VPN profile assigned at the controller. If unspecified, the corresponding VPN profile assigned at the controller will be used.

Setup PingOne for Customers Profile attribute

  1. Define a new User attribute in the PingOne for customers portal for storing the VPN profile name.
  2. Define an attribute mapping for the new attribute using the name Profile so that the web SAML application knows how to compose the Profile information in the SAML response.
  3. Assign VPN profile to each SAML user.
  4. Validate the setup.

Define a new User attribute

Note

This step is usually completed by the PingOne for Customers Admin.

  1. Login to the PingOne Admin portal

  2. Follow PingOne documentation to add an User attribute.

  3. On the top of the page, click Settings.

  4. On the left, under Directory, click Attributes.

  5. Click + Add Attribute.

    pingone_idp_adding_attribute

  6. Click DECLARED

    pingone_idp_adding_attribute_declared

  7. Click button “Next”

  8. Enter the following information to create custom user attribute:

    Field Value Description
    Name accessprofile A unique identifier for the attribute.
    Display name accessprofile The name of the attribute as you want it to appear in the,user interface.
    Description (optional) A brief characterization of the application.
    Enforce unique values Uncheck Option to require the attribute,values be unique across the environment

    Note

    In this example, the new user attribute is named accessprofile.

    pingone_idp_setting_attribute

  9. Click Save and Close.

Define an attribute mapping

Note

This step is usually completed by the PingOne for Customers Admin.

  1. On the top of the page, click Connections.

  2. Click Applications on the left.

  3. Locate the Web SAML application to add this custom User attribute.

  4. Click the details icon to expand the Web SAML application, and then click the pencil icon.

  5. Click the “Attribute Mappings”

  6. For updating attribute mapping, click the button “+ADD ATTRIBUTE” and then select “PingOne Attribute” to map PingOne user attribute to an application attribute as below.

    PINGONE USER ATTRIBUTE APPLICATION ATTRIBUTE
    accessprofile Profile

    Note

    The application attribute Profile is required to be an exact match so that Aviatrix Controller can process in the SAML response.

    pingone_idp_saml_attribute_mapping

Assign VPN profile to each SAML user

Note

This step is usually completed by the PingOne for Customers Admin.

For each SAML application user, edit the user profile for assigning the VPN profile

  1. On the top of the page, click Identities.

  2. Locate the user you want to edit. You can browse or search for users.

  3. Click the details icon to expand the user you want to edit, and then click the pencil icon.

  4. On the Profile tab, scroll down to the “OTHER” section

  5. Find the new User attribute “accessprofile” and assign the VPN profile

    Note

    In this example, the VPN profile defined at the controller is named access-profile.

    pingone_idp_vpn_profile

Validation

Please refer to this doc for more validation detail.