Ping Directory - Identity Source Cloud Authentication Service Integration - RSA Ready Implementation Guide
2 years ago

This article describes how to integrate Ping Directory as Identity Source with RSA Cloud Authentication Service.

Configure RSA Cloud Authentication Service

Perform the following steps to add Ping Directory as an identity source to RSA Cloud Authentication Service.
Procedure

  1. Sign in to the RSA Cloud Administration Console.
  2. Navigate to Users > Identity Sources.
image.png
  1. Click Add Identity Source.
  1. For New Identity Source type, select LDAP.
image.png
  1. Under Basic Information, enter a name in the Identity Source Name field.
image.png
  1. In Connection Settings section, configure the following fields:
    • Root: Enter the distinguished name (DN) for the initial root user used when configuring Ping Directory. This DN is required for establishing a connection to the directory. For example, 'dc=example', 'dc=com'. This value will change based on the configuration done on Ping Directory during setup.
    • User Tag (SSO Service Only): Enter 'cn'.
    • ObjectClass: Enter 'inetOrgPerson'
    • Reset Interval (second): 300
image.png
  1. Under Directory Servers, click ADD.
image.png
  1. In the Directory Server window, configure the following fields and click Save.
    1. Server: Enter the IP address of the Ping Directory server.
    2. Port: Enter '389'.
    3. Cluster: Select the cluster that contains the identity router used for authentication by this directory server.
    4. Username: Enter the Directory Administrator name.
    5. Password: Enter the Directory Administrator password.
image.png
  1. In the SSL/TLS Certificates (optional) section, clear the checkbox for Use SSL/TLS encryption to connect to the directory servers. SSL was enabled later. Refer to the Configure SSL section for instruction on enabling SSL.
    image.png
  2. Under Directory Servers, click Test Connection. SSL was enabled later, refer to the Configure SSL section for instruction on enabling SSL.
    image.png
  3. Ensure that the Test Connection is successful. Verify that directory attributes are displayed under Results, then click Close.
image.png
  1. Under User Attributes, click Refresh Attributes.
image.png
  1. Enable Synchronize the selected policy attributes with the Cloud Authentication Service, then enable checkboxes for policies and apps for attributes that need to be synchronized with Cloud Authentication Service.
image.png
  1. Click Next Step.
image.png
  1. In the Synchronize User Attributes section, specify the following details and click Save and Finish.
    1. First Name: givenname
    2. Primary Usename: uid
    3. Last Name: sn
    4. Primary Unique Identifier: uid
    5. Email Address: mail
    6. Secondary Unique Identifier: uid
    7. User Account Status: ds-pwp-account-disabled
    8. UserAccountexpiration: ds-pwp-account-expiration-time
    9. Alternate Username: userPrincipalName
    10. Manager: manager
image.png
  1. Click Next Step.
  2. If selected, clear the checkbox for Allow Users to Change Passwords.
image.png
  1. Click Save and Finish, then click Publish Changes.
  2. Navigate to Users > Identity Sources, and for the Ping Directory Server, select Synchronization from the Edit dropdown menu.

    image.png
  3. On the Synchronization Page, click Synchronize Now.
image.png
  1. Wait for some moments, then click Refresh Status.
image.png
  1. Ensure that synchronization is completed successfully and users are added.
    image.png
  2. Navigate to Users > Management.
image.png
  1. Search for a user from the directory server and verify that the user information is displayed.
image.png

Configure SSL

Perform the following steps to configure SSL.
Procedure

  1. Navigate to the bin folder under extracted Ping Directory folder. Run the 'manage-certificates' utility to generate a self-signed certificate if needed. Note that a self-signed certificate can also be created during setup.
  2. SSH into to the Identity Router management console as 'idradmin' and run the following command: 
    • openssl s_client -connect <fqdn or ip_address>:<port>
Where '<fqdn or ip_address>' is the IP address domain name of the machine where Ping Directory is installed, and '<port>' is 636.
  1. Highlight and copy the output starting with '-----BEGIN CERTIFICATE-----' and ending with '----END CERTIFICATE-----'. Ensure that these lines are included. Paste the output into a text editor.
  2. This procedure does not compromise any private information from the directory server.
  3. The command only outputs the current public certificate used by the directory server for LDAPS connections, without requiring to login to the directory server and export it.
  4. Copy the certificate to your local machine and change the format to Windows (CR LF).
  5. Remove any unwanted spaces from the certificate.
  6. Save the file with '.cer' extension. Use the Save as option and select All files(*.*) for the file type.
  7. In the SSL/TLS Certificates section, select the option Use SSL/TLS certificate to connect to Directory servers.
    image.png
  8. In the Directory servers section, click the Edit button and change the port to '636'. the rest of the options should remain unchanged.
    image.png
  9. Test the connection. It should be successful.
  10. Save the changes and click Publish.

Notes

  • For testing purposes, the ports and other variables were kept at their default settings during Ping Directory setup. 
  • During setup for our testing, the option “server data is to be encrypted“ was set to No. All other options were kept at their default values.
  • Self-signed certificates were used for testing. For production environments, it is recommended to use CA-certified certificates.
  • To make the admin console available, install Tomcat (refer to the Ping Directory documentation for supported web servers) on the machine where Ping Directory is installed. Then, copy the file named 'admin-console.war' from the unzipped Ping Directory folder into webapps folder of Tomcat. Refer to the Ping Directory documentation for more details.

Configure Ping Directory

Perform the following steps to configure Ping Directory.
Procedure

  1. Download the '.zip' distribution of the directory software after obtaining the license, and copy it to your Linux machine.
  2. Unzip the file using the command: 'unzip PingDirectory<version>.zip'
  3. Navigate to the unzipped folder and run the setup using the command: './setup'. Refer to the Ping Directory documentation for more details.

Create custom attributes in Ping Directory

Perform the following steps to create custom attributes in Ping Directory.
Procedure

  1. Log in to Ping Directory admin console with the following URL: http://<IP Address>:8080/admin-console/#/ds/10.0.0.1/schema
    Here, '<IP Address>' is the address of the machine where Ping Directory is installed.
  2. To create custom attributes, follow these steps: 
    1. Log in to admin console. Navigate to LDAP Schema located at the top left, then click the Attribute types tab.
    2. Select New Attribute Type, under Actions dropdown.
      image.png
    3. Complete the form with the following values.
      • Name: userPrincipalName
      • Syntax: DN
      • Stored in File: 99-user.ldif
image.png
  1. Repeat the process to create the following custom attributes as shown in the figure.
    • UserAccountExpiration
    • UserAccountStatus
    • UserPrincipalName
image.png
 

The configuration is complete.
Return to Ping Directory- Identity Source Integration - RSA Ready Implementation Guide

Related Articles

Trending Articles

Don't see what you're looking for?