Aviatrix Docs :: Documentation

PingOne for Customers IdP for SAML Integration

Overview

This guide provides an example on how to configure PingOne for Customers as an IdP for an Aviatrix SAML SP (endpoint). When SAML client is used, your Aviatrix controller acts as the Identity Service Provider (ISP) that redirects browser traffic from client to IdP (e.g., PingOne for Customers) for authentication.

Before configuring SAML integration between Aviatrix and PingOne for Customers, make sure you have a valid PingOne for Customers account with administrator access.

Configuration Steps

Follow these steps to configure Aviatrix to authenticate against your PingOne for Customers IdP:

Step 1. Create an Aviatrix SP Endpoint in the Aviatrix Controller.
Step 2. Create a PingOne Web SAML App for Aviatrix in the PingOne for Customers Portal.
Step 3. Retrieve PingOne IdP metadata.
Step 4. Update Aviatrix SP Endpoint in the Aviatrix Controller.
Step 5. Test the Integration is set up correctly.

Step 1. Create an Aviatrix SP Endpoint

Visit one of the following links based on your use case and follow step 1 (Create temporary Aviatrix SP Endpoint for Aviatrix) from the link’s Configuration section:

If integrating PingOne IdP with Controller Login SAML Config
If integrating PingOne IdP with OpenVPN with SAML Authentication

Step 2. Create a PingOne Web SAML App for Aviatrix

This step is usually done by the PingOne for Customers Admin.

Login to the PingOne Admin portal.
Follow PingOne documentation to add a Web SAML application.
On the top of the page, click Connections.
On the left, click Applications and then + Application.

Click WEB APP, and then for SAML, click Configure.

Create the application profile by entering the following information:

Field	Value
Application name	A unique identifier for the application.
Description	(optional) A brief characterization of the application.
Icon	(optional) A pictorial representation of the application. The file can be up to 1MB in size in JPG, JPEG, GIF, or PNG format.

Field

Value

Application name

A unique identifier for the application.

Description

(optional) A brief characterization of the application.

Icon

(optional) A pictorial representation of the application. The file can be up to 1MB in size in JPG, JPEG, GIF, or PNG format.

For Configure SAML Connection, enter the following:

Field	Value
ACS URLs	https://[host]/flask/saml/sso/[Endpoint Name]
Signing certificate	PingOne SSO Certificate for Default environment
Signing	Sign Assertion
Signing Algorithm	RSA_SHA256
Encryption	DISABLED
Entity ID	https://[host]/
SLO endpoint	Not Specified
SLO response endpoint	Not Specified
SLO binding	HTTP POST
Assertion validity duration	300
Target Application URL	Not Specified
Enforce signed Authn request	Disabled
Verification certificate	No Verification Certificates Selected

Field

Value

ACS URLs

https://[host]/flask/saml/sso/[Endpoint Name]

Signing certificate

PingOne SSO Certificate for Default environment

Signing

Sign Assertion

Signing Algorithm

RSA_SHA256

Encryption

DISABLED

Entity ID

https://[host]/

SLO endpoint

Not Specified

SLO response endpoint

Not Specified

SLO binding

HTTP POST

Assertion validity duration

300

Target Application URL

Not Specified

Enforce signed Authn request

Disabled

Verification certificate

No Verification Certificates Selected

[host] is the hostname or IP of your Aviatrix controller. For example, https://controller.demo.aviatrix.live.

[Endpoint Name] is an arbitrary identifier. This same value should be used when configuring SAML in the Aviatrix controller.

[Entity ID] is using https://[host]/ as default if you select the Hostname option when configuring SAML in the Aviatrix Controller.

Click Save and Continue.
For attribute mapping, click the button "+ADD ATTRIBUTE" and then select "PingOne Attribute" to map PingOne user attribute to an attribute in this application as below.

PingOne User Attribute Application Attribute

User ID (required)

saml_subject

Given Name

FirstName

Family Name

LastName

Email Address

Email

PingOne User Attribute	Application Attribute
User ID (required)	saml_subject
Given Name	FirstName
Family Name	LastName
Email Address	Email

Click Save and Close.
Enable the WEB SAML APP.

Step 3. Retrieve PingOne IdP metadata

This step is usually completed by the PingOne for Customers admin.

After the application is created in PingOne, click Connections on the top of the page and then click Applications on the left.
Locate the Web SAML application that we just created.
Click the details icon to expand the Web SAML application and then click the button "Configuration".
Copy the URL from the IDP Metadata URL from the CONNECTION DETAILS. This value will be used to configure the Aviatrix SP Endpoint.

Step 4. Update Aviatrix SP Endpoint

This step is usually completed by the Aviatrix admin. PineOne IdP provides IdP Metadata through URL obtained in Retrieve `PingOne IdP metadata URL <#pingone-idp-metadata>`__ step. PingOne for Customers IdP requires a custom SAML request template.

Continue with updating Aviatrix SAML Endpoint by visiting one of the following links based on your use case:

If integrating PineOne IdP with Controller Login SAML Config.
If integrating PineOne IdP with OpenVPN with SAML Authentication.

Field	Value
Endpoint Name	[Endpoint Name]: use the same name you previously entered in the PingOne application
IdP Metadata Type	URL
IdP Metadata URL	URL copied from PingOne (IdP metadata URL)
Entity ID	Select Hostname
Custom SAML Request Template	Check the box and either copy the below format into the prompt text box or modify it

Field

Value

Endpoint Name

[Endpoint Name]: use the same name you previously entered in the PingOne application

IdP Metadata Type

URL

IdP Metadata URL

URL copied from PingOne (IdP metadata URL)

Entity ID

Select Hostname

Custom SAML Request Template

Check the box and either copy the below format into the prompt text box or modify it

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="$ID" Version="2.0" IssueInstant="$Time" Destination="$Dest" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="$ACS">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">$Issuer</saml:Issuer>
   <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="$SPNameQualifier" AllowCreate="true"></samlp:NameIDPolicy>
   <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Step 5. Test the Integration

Continue with testing the integration by visiting one of the following links based on your use case:

If integrating PingOne IdP with Controller Login SAML Config:
1. Click Settings in the left navigation menu.
2. Select Controller.
3. Click on the SAML Login tab.
If integrating PingOne IdP with OpenVPN with SAML Authentication:
1. Expand OpenVPN® in the navigation menu and click Advanced.
2. Stay on the SAML tab.

You can quickly validate that the configuration is complete by clicking on the Test button next to the SAML endpoint.

OpenVPN is a registered trademark of OpenVPN Inc.