Setting up PingOne for Customers Web SAML App with Profile Attribute

This guide demonstrates the use of the Profile attribute in PingOne for Customers so each SAML user can be assigned a different VPN profile.

How a VPN Profile Works

The VPN profiles defined at the Controller/OpenVPN/Profiles contain egress control policy. They are attached to the VPN users defined at Controller/OpenVPN/VPN Users for controlling their VPN egress traffic. Users without a profile is the same as having a profile with an allow-all policy, i.e., their egress traffic are unrestricted.

For SAML VPN, the SAML user definition at the IDP has a Profile attribute for specifying a VPN profile, overriding the corresponding user’s VPN profile assigned at the Controller. If unspecified, the corresponding VPN profile assigned at the controller will be used.

Setting up PingOne for Customers Profile Attribute

  1. Define a new User attribute in the PingOne for customers portal for storing the VPN profile name.

  2. Define an attribute mapping for the new attribute using the name Profile so that the web SAML application knows how to compose the Profile information in the SAML response.

  3. Assign VPN profile to each SAML user.

  4. Validate the setup.

Defining a New User Attribute

This step is usually completed by the PingOne for Customers Admin.

  1. Log into the PingOne Admin portal.

  2. Follow PingOne documentation to add an User attribute.

  3. On the top of the page, click Settings.

  4. On the left, under Directory, click Attributes.

  5. Click + Add Attribute.

    pingone_idp_adding_attribute

  6. Click Declared.

    pingone_idp_adding_attribute_declared

  7. Click Next.

  8. Enter the following information to create the custom user attribute:

    Field Value Description

    Name

    accessprofile

    A unique identifier for the attribute.

    Display name

    accessprofile

    The name of the attribute as you want it to appear in the user interface.

    Description

    (optional)

    A brief characterization of the application.

    Enforce unique values

    Uncheck

    Option to require the attribute values be unique across the environment

    In this example, the new user attribute is named accessprofile.

    pingone_idp_setting_attribute

  9. Click Save and Close.

Defining an Attribute Mapping

This step is usually completed by the PingOne for Customers Admin.

  1. On the top of the page, click Connections.

  2. Click Applications on the left.

  3. Locate the Web SAML application to add this custom User attribute.

  4. Click the details icon to expand the Web SAML application, and then click the pencil icon.

  5. Click Attribute Mappings.

  6. For updating attribute mapping, click the button +Add Attribute and then select PingOne Attribute to map PingOne user attribute to an application attribute as below.

    PingOne Attribute

    Appl

    ication Attribute

    accessprofile

    The application attribute Profile is required to be an exact match so that Aviatrix Controller can process in the SAML response.

    pingone_idp_saml_attribute_mapping

Assigning VPN Profile to Each SAML User

This step is usually completed by the PingOne for Customers Admin.

For each SAML application user, edit the user profile for assigning the VPN profile.

  1. On the top of the page, click Identities.

  2. Locate the user you want to edit. You can browse or search for users.

  3. Click the details icon to expand the user you want to edit, and then click the pencil icon.

  4. On the Profile tab, scroll down to the Other section.

  5. Find the new User attribute "accessprofile" and assign the VPN profile.

    In this example, the VPN profile defined at the Controller is named access-profile.

    pingone_idp_vpn_profile

Validation

Please refer to this doc for more validation details.