This section describes how to integrate PingFederate with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

1. Sign in to RSA Cloud Administration Console and go to Applications > Application Catalog, search for Ping Identity PingFederate and click Add to add the connector.

2. Choose Cloud on the Basic Information page.

3. Enter the name for the application and click Next Step.

4. On the Connection Profile page, Navigate to Initiate SAML Workflow section and choose IdP-initiated.

5. Go to the Service Provider section and enter below details:
   1. ACS URL: It will be in this format https://<BASE_URL>/sp/ACS.saml2. This represents the base URL of the PingFederate server. Replace <BASE_URL> with the actual domain of your PingFederate setup.
   2. Audience (Service Provider Entity ID): The format will be <SAML 2.0 ENTITY ID> which can be retrieved from the PingFederate administrative console. Refer to the notes for detailed steps.

Note:  If ACS URL and Audience are not known, enter temporary place holder values so that you can continue. After you complete the PingFederate SP configuration and export its metadata, you can import it to fill these values automatically.

6. Scroll down to the Identity Provider section. Make a note of the Identity Provider URL, as it will be required for the PingFederate configuration.

7. On the User Identity section, select the following options:
   1. Identifier Type – emailAddress
   2. Property – mail

8. Click Next Step.
9. On the User Access page, select the access policy the identity router will use to determine which users can access the application.

10. Click Next Step.
11. On the Portal Display page, configure the portal display and other settings. Then click Next Step.
12. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle button disabled as it is, then click Save and Finish.
13. Locate the application created in My Applications page and click the dropdown arrow next to Edit > Export Metadata.
14. Click Publish Changes and wait for the operation to be completed.

15. After publishing, your application is now enabled for SSO. 

Configure PingFederate

Perform these steps to configure PingFederate.

1. In the PingFederate administrative console, go to Authentication > Integration > IdP Connections, and then click Create Connection.

2. On the Connection Type tab, select Browser SSO Profiles, and in the Protocol list, select SAML 2.0. Click Next.

3. On the Connection Options tab, click Next.

4. On the Import Metadata tab, click File, and then click Choose File.
5. Locate and select metadata file from the RSA Cloud Authentication Service configuration, click Open, and click Next to proceed.

6. On the Metadata Summary tab, click Next.

7. On the General Info tab, The General Info tab is filled out by the metadata. Review the Partner’s Entity ID and Connection Name. Click Next.

8. On the Browser SSO tab, click Configure Browser SSO.

9. On the SAML Profiles tab, check the IDP-Initiated SSO and the SP-Initiated SSO checkboxes, and click Next.

10. On the User-Session Creation tab, click Configure User-Session Creation.

11. On the Identity Mapping tab, click Account Mapping and then click Next.

12. On the Attribute Contract tab, click Next.

Note: From this point onward, the configuration process splits into two distinct paths. Choose one path from each configuration based on your specific needs to proceed.

Configure Using an Adapter Instance

Perform these steps to configure PingFederate using Adapter Instance. 

1. On the Target Session Mapping tab, click Map New Adapter Instance.

2. On the Adapter Instance tab, click the Manage Adapter Instances button.

3. On the SP Adapters page, click Create New Instance button.

4. On the Type tab, enter Instance Name and Instance ID, select OpenToken SP Adapter from the Type dropdown list, and click Next.

5. On the Instance Configuration tab, enter the Password and Confirm Password field values (This is used to generate the encryption key and is not referenced elsewhere), and click Next.

6. On the Actions tab, click Next.

7. On the Extended Contract page, click Next.

8. On the Target App Info tab, leave the Application Name and URL fields blank, and click Next.

9. On the Summary tab, click Save.
10. On the SP Adapters page, click Done.
11. On the Adapter Instance tab, from the Adapter Instance dropdown, select the adapter name created previously and click Next.

12. On the Adapter Data Store tab, keep the default selection of Use only the Attributes Available in the SSO Assertion, and then click Next.

13. On the Adapter Contract Fulfillment tab, set the following:

1. 1. Select Assertion from the Source dropdown list.
   2. Select SAML_SUBJECT from the Value dropdown list.

Note: These selections map the attributes from the inbound assertion to the connection attributes.

14. Click Next to proceed.

15. On the Issuance Criteria tab, click Next.

16. To complete the adapter configuration, click Done on the Adapter Mapping Summary tab. Then, on the Target Session Mapping tab, click Next.
17. Review the User-Session Creation Summary tab, and then click Done.
18. On the User Session Creation tab, click Next.

19. On the Protocol Settings tab, click Configure Protocol Settings.

Note: The Protocol Settings tab shows the currently configured values from the metadata.

20. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata. Click Next.

21. On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.

21. On the Overrides tab, click Next.
22. On the Signature Policy tab, use the default selection of Use SAML-Standard Signature Requirements where the IdP will sign the response. Click Next.

23. On the Encryption Policy tab, keep the default selection None. Click Next.

24. On the Protocol Settings Summary tab, review and click Done.
25. On the Protocol Settings tab, click Next.
26. On the Browser SSO Summary tab, review the settings and click Done.
27. On the Browser SSO tab, click Next.

28. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

Note:  The signing public key is included because you imported metadata. 

29. On the Activation and Summary tab, ensure the Connection Status is Active, make note of the SSO Application Endpoint URL, and click Save.

30. On the IdP Connections page, locate the IdP Connection just created, open the Select Action list, and click Export Metadata.

Note: If temporary placeholder values were used during the RSA Cloud Authentication Service configuration, return and update them with the values from the PingFederate metadata file.

Configuration completed.

Configure using an Authentication Policy Contract

Perform these steps to configure Policy Contract 

1. On the Target Session Mapping tab, click Map New Authentication Policy.

2. On the Authentication Policy Contract tab, click the Manage Policy Contracts button.

3. On the Policy Contracts page, click Create New Contract.

4. On the Contract Info tab, enter Contact Name and click Next.
5. On the Contract Attributes page, click Next.
6. On the Authentication Policy Contract Summary Page, click Save.
7. On the Policy Contracts page, click Done.
8. On the Authentication Policy Contract tab, select the contract created previously from the Authentication Policy Contract dropdown list. Click Next.
9. On the Attribute Retrieval tab, select Use Only the Attributes Available in the SSO Assertion option, and click Next.

10. On the Contract Fulfillment tab, set the following and then click Next:

1. 1. Select Assertion from the Source dropdown list.
   2. Select SAML_SUBJECT from the Value dropdown list.

11. On the Issuance Criteria tab, click Next.

12. To complete the configuration, click Done on the Authentication Policy Mapping Summary tab. Then, on the Target Session Mapping tab, click Next.
13. On the User-Session Creation Summary tab, review the information and click Done to return to the User-Session Creation tab.
14. On the User Session Creation tab, click Next.

15. On the Protocol Settings tab, click Configure Protocol Settings.

Note: The Protocol Settings tab displays the currently configured values from the metadata.

16. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata, and click Next.

17. On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.

18. On the Overrides tab, click Next.
19. On the Signature Policy tab, select Use SAML-Standard Signature Requirements where the IdP will sign the response. Then click Next.

20. On the Encryption Policy tab, keep the default selection of None. Click Next.

21. On the Protocol Settings Summary tab, review and click Done.
22. On the Protocol Settings tab, click Next.
23. On the Browser SSO Summary tab, review the settings and click Done.
24. On the Browser SSO tab, click Next.

25. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

Note: The signing public key was included Because you imported metadata. 

26. On the Activation and Summary tab, ensure the Connection Status is Active, make note of the SSO Application Endpoint URL, and click Save.

27. On the IdP Connections page, locate the IdP Connection created, open the Select Action list and click Export Metadata.

Note: If temporary placeholder values were used during the RSA Cloud Authentication Service configuration, return and update them with the values from the PingFederate metadata file

28. In the PingFederate administrative console, navigate to Applications > SP Connections. Click the 3rd party application SAML SP connection.

29. Go to the Assertion Creation section and click Authentication Source Mapping.

30. On the Authentication Source Mapping tab, click Map New Authentication Policy.
31. On the Authentication Policy Contract tab, choose the contract created previously from the Authentication Policy Contract dropdown list, and click Next.
32. On the Mapping Method page, click Next.

33. On the Attribute Contract Fulfillment tab, choose Authentication Policy Contract from the Source drop-down menu and subject from the Value drop-down menu. Then click Next.

34. On the Issuance Criteria page, click Next.
35. On the Summary page, review the information and click Save.
36. In the PingFederate administrative web console, navigate to Authentication > Policies and then click Add Policy.

37. On the Policy page, enable the policy contract created previously.

38. On the Issuance Criteria tab, click Next.
39. On the Summary tab, review the information and click Done.
40. On the Policy page, click Done.
41. On the Policies page, click Save to complete the configuration process. Configure the authentication policy as shown in the following information:
    1. The first Action branch is configured to HTML form authentication method.
    2. The second Action branch is configured to use RSA ID Plus IdP connection previously configured.
    3. The third Action branch is configured to use an Authentication Policy Contract to take attributes from the IdP connection and send them to the created SAML SP.

42. Click Options on the IdP Connection (second Action branch).
43. On the Incoming User ID pop-up, choose the Adapter from the Source dropdown list, username from the Attribute dropdown list,  and click Done.

44. Click Contract Mapping on the Policy Contract (third Action branch).
45. On the Attribute Sources & User Lookup page, click Next.
46. On the Contract Fulfillment tab, choose the IdP Connection from the Source dropdown list, choose SAML_SUBJECT from the Value dropdown list, and click Next.

Notes

• To access and verify the required settings, go to System > Server > Protocol Settings, then under the Federation Info tab, note the Base URL used in the RSA Cloud Authentication Service configuration. Additionally, verify that the SAML 2.0 Entity ID field contains a valid and unique value, as it will also be used in the RSA Cloud Authentication Service configuration.

Configuration completed.