Using the TruU SAML Adapter with PingFederate
Delegate authentication requests to the TruU SAML adapter using an IdP connection in PingFederate. This allows service provider applications to continue receiving SAML assertions from PingFederate, but users will be routed to TruU for authentication. The TruU SAML adapter returns a signed SAML assertion to PingFederate, which then creates a new SAML assertion for delivery to the SP. This method doesn’t require replacing IdP infrastructure or reconfiguring single sign-on enabled applications. Custom attributes sent to SP applications via PingFederate LDAP integrations will continue to work.Detailed Steps
Step 1: Refer to the SAML Adapter Setup Guide in Help to create a SAML adapter in the TruU admin console Step 2: Navigate to the Service Provider menu in PingFederate to create a new IdP connection
Step 3: Select the following options:
- Connection Type: Browser SSO Profiles
- Connection Options: Browser SSO
- Most use cases will not use JIT Provisioning
- Select URL when importing metadata and copy the URL from the SAML adapter configuration file. Leave the defaults in place and click Load Metadata
Step 4: Click through the General Information screen (populated by the connection metadata) and configure Browser SSO with these options:
- SAML Profiles: SP-initiated SSO
- Attribute Contract: SAML_SUBJECT
- Attribute Contract: Account Mapping
- Select Map New Authentication Policy to configure a contract. The contract will only contain SAML_SUBJECT. Optionally use the SSO assertion to look up additional information from LDAP to extend the data made available to all SPs. Configure additional attributes for individual SPs after the IdP connection is configured
- Outbound SSO Bindings: Redirect
- Inbound Bindings: POST, Redirect
- Signature Policy: SAML-standard
- Encryption Policy: No Encryption
Step 8: Apply the default options on the remaining configuration screens. Ensure that the connection status is marked as active once complete. The new IdP connection is identified by the Entity ID found in the SAML adapter configuration file. This can be helpful to refer to when selecting the proper IdP connection if your environment has multiple configurations
Step 9: Apply the new IdP connection to an SP using PingFederate’s Authentication Policies tree. Use a connection Selector to identify a single SP for testing the new IdP connection. Select the new IdP connection and then the associated policy contract. Configure the subject to be populated by the SAML_SUBJECT provided by the IdP connection
Step 10: When accessing the SP with the authentication policy and contract mapping in place, you should be directed to the TruU authentication screen. Completing the authentication should bring you into the application
Optional Configuration: Additional SAML Attributes
If you want to provide additional SAML attributes to an SP, follow these steps: Step 1: Start by updating or creating a new Authentication Policy Contract. In this example, we have added displayName to the contract
Step 2: Update the applied policy contract mapping after editing the contract. Navigate to Authentication Policies to open the policy tree, then find the contract mapping to be modified
Step 3: Create a Data Store configuration to populate the new attributes with information from LDAP
Step 4: Enter the appropriate Base DN and add the desired attribute(s)
Step 5: Create a filter combining the user attribute configured for your SAML adapter in the TruU admin console with the SAML_SUBJECT variable made available by PingFederate
Step 6: Apply the new attributes to the contract from the newly configured Data Store
Step 7: Update the SP and its attribute configuration if it had not previously been receiving these attributes
Step 8: Now when logging into the SP the SAML assertion will contain the additional attribute(s)
PingFederate IDP Setup Guide SAML