Step 3: Integrate PingFederate

This article describes how to integrate the PingFederate Identity Provider (IdP) with Axis Security using SAML.

Step 1: Create a SAML App in PingFederate

  1. Go to Applications -> SP Connections.
2256
  1. Click Create Connection.
2250
  1. Select Do not use a template.
1628
  1. Click Next.

  2. Click Browser SSO Files, and make sure the protocol is set to SAML 2.0.

1190
  1. Click Next.

  2. Make sure the Browser SSO is checked.

1144
  1. Click Next.

  2. Leave Metadata URL to None.

1480
  1. Click Next.

Step 2: Add PingFederate as an Identity Provider in Axis Security

To add PingFederate as an Identity Provider in Axis Security:

  1. In the Axis Management Console, go to Settings -> Identity Providers.
3440
  1. Click on Add Identity Provider and select PingFederate.
3440
  1. Enter a Name for the IdP. Copy the SP Application ID and the SCIM Provisioning Token, and paste them into a text editor. You will need these details for Step 3: Finish Configuration in PingFederate.
3440
  1. In the Single Sign On URL field, paste the IdP SSO URL you obtained in step 1 (for example, https://ping.axisinternal.com:9031/idp/SSO.saml). Click Upload certificate and upload the certificate you obtained from Step 2.
3440
  1. Click on Submit

Step 3: Finish Configuration in PingFederate

  1. In the General Info section, enter the Entity ID obtained from Axis. Add Connection Name and other optional information.
1948
  1. Click Next.

  2. In the Browser SSO section, under Single Sign-on (SSO) profiles, click Configure Browser SSO.

1688
  1. In the SAML Profiles section, check the box for both IDP-INITIATED SSO and SP-INITIATED SSO.
1522
  1. Click Next.
  2. In the Assertion Lifetime section, change the assertion lifetime if needed (optional), and click Next.
1948
  1. In the Assertion Creation section, click Configure Assertion Creation.
1346
  1. In the Identity Mapping section, select Standard.
1312
  1. Click Next.

  2. In the Attribute Contact subsection, select a format for the SAML_SUBJECT with the value urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

1698
  1. In the Extend the Contract subsection, add the value "http://schemas.xmlsoap.org/claims/Group" with format urn:oasis:names:tc:SAML:2.0:attrname-format:basic, and click Add.
1686

And then add the value "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" with format urn:oasis:names:tc:SAML:2.0:attrname-format:basic, and click Add.

1682
  1. Click Next.
1692
  1. In the Authentication Source Mapping section, click Map New Adapter Instance.
1370
  1. In the Adapter Instance section, choose the adapter that is connected to your data store.
2008
  1. Click Next.
2008
  1. In the Mapping Method, click Next.

📘

This is where we map what values are sent to Axis from PingFederate. They are all sources from Adapter but are configurable by the admin.

2008
  1. In the Attribute Contact Fulfillment section, set the following mappings:
1700
  1. Click Next.

  2. In the Issuance Criteria section, click Next.

1996
  1. In the Summary section, click Done.
1694
  1. In the Authentication Source Mapping section, click Next.
1694
  1. In the Summary section, click Done.
1700
  1. In Assertion Creation section, click Next.
1992
  1. In Protocol Settings section, click Configure Protocol Settings.
2630
  1. In the Assertion Consumer Service URL section, under Binding, select POST, and under the Endpoint URL, paste the SP URL (ACS) that you obtained from Axis Management Console in step 2, and click Add.
1992
  1. Click Next.
1762
  1. In the Allowable SAML Bindings section, check only Post and Redirect options.
2002
  1. Click Next.
  2. In the Signature Policy section, check ALWAYS SIGN ASSERTION, and click Next.
1998
  1. In the Encryption Policy section, select NONE, and click Next.
1998
  1. In the Summary section, click Done.
1700
  1. In the Protocol Settings section, click Next.
1696
  1. In the Summary section, click Done.
1465
  1. In the Browser SSO section, click Next.
1744
  1. In the Credentials section, click Configure Credentials.
1748
  1. In the Digital Signature Settings section, choose your signing certificate.
1756
  1. Check the INCLUDE THE CERTIFICATE IN THE SIGNATURE ELEMENT option. Click Next.
1740
  1. In the Summary section, click Done.
1762
  1. In the Credentials section, click Next.
1762
  1. In the Activation & Summary section, scroll to the bottom and click Save.
1511