Provide a name for the adapter. This name will identify the integration in the Admin Console, and it will be displayed in event logs for any applications in PingFederate that do not have an application name specified (you can set the application name for individual SPs in their respective General Info sections within the PingFederate console)
The ID Server URL will be populated automatically
The adapter will output one attribute called “subject” for use in your PingFederate environment. Select a User Global Attribute that you wish to populate as the subject. For instance, selecting “userPrincipalName” will populate the authenticated user’s userPrincipalName as adapter subject. You can then expect this value when configuring the adapter for your policy tree or individual SPs
The FIDO Origin option is used for FIDO2 hardware keys. Most organizations have one origin, which is tied to your Identity Servers. See the online help section regarding Relying Party Origins in your TruU Admin Console for more information
The final option is to select the Default View. This option controls which screen users see first when beginning TruU authentication. The default choice is a screen that lets a user select from all TruU authentication methods
Click Create and optionally select administrative roles that should have rights to modify the adapter. Agree to the EULA to download the adapter software. The download will include two files: the adapter software and a configuration file
Copy the downloaded .zip file to your PingFederate servers and have the configuration file on hand when configuring the adapter within the PingFederate console
Step 2: Install the Plugin Files on PingFederate Server Instances
Copy the truu-pf-adapter-v2-xx.xxx.zip archive onto your PingFederate server instances and unzip the file. The unzipped folder structure mimics the PingFederate folder structure. Copy files from the archive into the analogous folders of your PingFederate server. The files include:
Jar Files – copy these to the server/default/deploy folder
- pingfederate/server/default/deploy/pf-plugins-truu-v2-identity-xx.xxx.jar
- pingfederate/server/default/deploy/truu-java-sdk-all-22.112.jar
- pingfederate/server/default/conf/template/try-truu.html.form.login.template.html
- pingfederate/server/default/conf/template/html.truu.idp.html
- pingfederate/server/default/conf/template/assets/scripts/truu/jquery-3.4.1.min.js
- pingfederate/server/default/conf/template/assets/scripts/truu/js.cookie.min.js
- pingfederate/server/default/conf/template/assets/scripts/truu/truu.js
- pingfederate/server/default/conf/template/assets/images/truu/try-truu-bkg.svg
- pingfederate/server/default/conf/template/assets/images/truu/try-truu-shield.svg
- pingfederate/server/default/conf/template/assets/fonts/truu/roboto.css
- pingfederate/server/default/conf/template/assets/css/truu/try-truu.css
Step 5: Configure the Adapter for your TruU Tenant
Copy and paste the values from the configuration file downloaded when you provisioned the TruU PingFederate adapter in your admin console into the IdP adapter configuration form
Once you click to proceed, you will see the Core Contract configuration. The TruU Identity Adapter v2 publishes just one attribute, “subject”. The “subject” attribute takes the value of the User Global Attribute configured on the TruU PingFederate adapter in Step 1. You may update this value after an adapter has been created
Step 6: Complete Optional Adapter Configuration
Your policy contracts and SPs may require additional user attributes. PingFederate provides multiple opportunities to extend SAML assertions with user. For instance, attributes can be added at the IdP adapter level, and at the end of a policy tree at the contract. We suggest configuring IdP adapter attributes when multiple SPs need a common set of user properties. To configure additional attributes, use the “Extend the Contract” option when configuring the adapter
Here we show an example of extending the contract with sAMAccountName. The SAML_SUBJECT will be the userPrincipalName (recall this was the selected user global attribute from step 1), and sAMAccountName will be added via directory lookup each time the TruU adapter is invoked
Here the filter is configured to use “$” as the user identifier which has been returned by the TruU adapter. Because the adapter’s user global attribute was configured as userPrincipalName (in step 1), we construct the filter using userPrincipalName as the matching attribute
When configuring the contract fulfillment, the subject comes from the adapter and the sAMAccountName comes from the LDAP connection
Step 7: Assign the Adapter to Apps
For convenience we will create an authentication policy contract called “sAMAccountName” that will include the subject from the TruU adapter plus the extended sAMAccountName configured in step 6
With the contract in place, we now add a branch in the policy tree for our app. The branch starts with an application selector (our test app) and sends users accessing the app to the TRUU IdP adapter. After successful authentication by TruU, the policy branch completes with the “sAMAccountName” policy contract
Select the “Contract Mapping” link to finish the configuration. Here both attributes are sourced by the adapter because of the contract extension via LDAP lookup that was configured in step 6
Step 8: Configure SAML Attributes for the SP
In this final step we will update the SAML attributes made available to the SP. You can ignore this step if your SP is already configured with the necessary SAML attributes, and if your policy contract is now mapped properly with the TruU adapter
Here we have selected “sAMAccountName” as the authentication policy contract for the SP. Because additional attributes were configured at the adapter and exposed via the policy contract, we use only the contract for populating values in the SAML assertion
In this example we use a standard identity mapping
We add “sAMAccountName” to the attribute contract
Then we apply “sAMAccountName” as the authentication policy contract
PingFederate only needs the values from the policy contract to populate attributes required for the SAML assertion
Step 9: Test
Now we access the test app using the IdP-initiated link found on the test app’s SP connection page. PingFederate, applying the rules of its policy tree, should automatically redirect you to the TruU authentication screen
The test app displays the SAML_SUBJECT and additional SAML attributes
Single Sign On PingFederate SAML Setup Guide