This article describes how to integrate RSA Cloud Access Service (CAS) with PingFederate using SAML Relying Party.

Configure CAS

Perform these steps to configure CAS as a Relying Party to PingFederate. 

Procedure 

1. Sign in to RSA Cloud Administration Console.
2. Click Authentication Clients > Relying Parties.
   
3. On the My Relying Parties page, click Add a Relying Party.
4. On the Relying Party Catalog page, click Add for Service Provider SAML.
   
5. On the Basic Information page, enter a name for the Service Provider in the Name field.
   
6. Click Next Step.
7. On the Authentication page, choose RSA manages all authentication.
8. In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured. 
   
9. Click Next Step.
10. On the Connection Profile page, select Enter Manually.
    
11. In the Service Provider section, enter the following details.
    1. ACS URL: It should be in this format https://<BASE_URL>/sp/ACS.saml2. This represents the base URL of the PingFederate server. Replace <BASE_URL> with the actual domain of your PingFederate setup.
    2. Audience (Service Provider Entity ID): The format should be <SAML 2.0 ENTITY ID>, which can be retrieved from the PingFederate administrative console. Refer to the notes for detailed steps.

Note: If ACS URL and Audience are not known, enter temporary placeholder values so that you can continue. After you complete the PingFederate SP configuration and export its metadata, you can import it to fill these values automatically.

12. In the Message Protection section, choose IdP signs entire SAML response.
13. Click Save and Finish.
14. Click Publish Changes and wait for the operation to be completed.
    After publishing, your application is enabled for SSO. 
15. Under My Relying Parties, navigate to the newly created relying party.
16. In the Edit drop-down list, choose Metadata.
    

Configure PingFederate

Perform these steps to configure PingFederate.

Procedure

1. In the PingFederate administrative console, go to Authentication > Integration > IdP Connections, and then click Create Connection.
   
2. On the Connection Type tab, select Browser SSO Profiles, and in the Protocol list, select SAML 2.0.
3. Click Next.
   
4. On the Connection Options tab, click Next.
   
5. On the Import Metadata tab, click File, and then click Choose File.
6. Locate and select the metadata file from the CAS configuration, and click Open.
7. Click Next to proceed.
   
8. On the Metadata Summary tab, click Next.
   
9. On the General Info tab, review the Partner’s Entity ID and Connection Name. The details on this tab are filled from the metadata.
10. Click Next.
    
11.  On the Browser SSO tab, click Configure Browser SSO. 
    
12. On the SAML Profiles tab, select the IDP-INITIATED SSO and SP-INITIATED SSO checkboxes, and click Next.
    
13. On the User-Session Creation tab, click Configure User-Session Creation.
    
14. On the Identity Mapping tab, click Account Mapping, and then click Next.
    
15. On the Attribute Contract tab, click Next.
    

From this point onward, the configuration process splits into two distinct paths. Choose one path from each configuration based on your specific needs to proceed.

A. Configure Using an Adapter Instance

B. Configure Using an Authentication Policy Contract

A. Configure Using an Adapter Instance

Perform these steps to configure PingFederate using the Adapter Instance. 

Procedure

1. On the Target Session Mapping tab, click Map New Adapter Instance.
   
2. On the Adapter Instance tab, click Manage Adapter Instances.
   
3. On the SP Adapters page, click Create New Instance.
   
4. On the Type tab, enter Instance Name and Instance ID, select OpenToken SP Adapter in the Type dropdown list, and then click Next.
   
5. On the Instance Configuration tab, enter the Password and Confirm Password field values (This is used to generate the encryption key and is not referenced elsewhere), and click Next.
   
6. On the Actions tab, click Next.
   
7. On the Extended Contract page, click Next.
   
8. On the Target App Info tab, leave the Application Name and URL fields blank, and click Next.
   
9. On the Summary tab, click Save.
10. On the SP Adapters page, click Done.
11. On the Adapter Instance tab, in the Adapter Instance drop-down list, select the adapter name created previously, and then click Next.
    
12. On the Adapter Data Store tab, keep the default selection of Use only the Attributes Available in the SSO Assertion, and then click Next.
    
13. On the Adapter Contract Fulfillment tab, set the following:
    1. Select Assertion in the Source drop-down list.
    2. Select SAML_SUBJECT in the Value drop-down list.

Note: These selections map the attributes from the inbound assertion to the connection attributes.

14. Click Next to proceed.
    
15. On the Issuance Criteria tab, click Next.
    
16. To complete the adapter configuration, click Done on the Adapter Mapping Summary tab. Then, on the Target Session Mapping tab, click Next.
17. Review the User-Session Creation Summary tab, and then click Done.
18. On the User Session Creation tab, click Next.
    
19. On the Protocol Settings tab, click Configure Protocol Settings.

Note: The Protocol Settings tab shows the currently configured values from the metadata.

20. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata and click Next.
    
21. On the Allowable SAML Bindings tab, ensure only the POST and REDIRECT checkboxes are selected, and then click Next.
    
22. On the Overrides tab, click Next.
23. On the Signature Policy tab, use the default selection of Use SAML-Standard Signature Requirements, and click Next.
    
24. On the Encryption Policy tab, keep the default selection None and click Next.
    
25. On the Protocol Settings Summary tab, review and click Done.
26. On the Protocol Settings tab, click Next.
27. On the Browser SSO Summary tab, review the settings and click Done.
28. On the Browser SSO tab, click Next.
    
29. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

Note:  The signing public key is included because you imported metadata. 

30. On the Activation and Summary tab, ensure the Connection Status is Active, make note of the SSO Application Endpoint URL, and click Save.
    
31. On the IdP Connections page, locate the IdP connection created, open the Select Action list, and click Export Metadata.
    

Note: If temporary placeholder values were used during the CAS configuration, return and update them with the values from the PingFederate metadata file.

The configuration is complete.

B. Configure Using an Authentication Policy Contract

Perform these steps to configure PingFederate using the Authentication Policy Contract.

Procedure 

1. On the Target Session Mapping tab, click Map New Authentication Policy.
   
2. On the Authentication Policy Contract tab, click Manage Policy Contracts.
   
3. On the Policy Contracts page, click Create New Contract.
   
4. On the Contract Info tab, enter Contact Name and click Next.
5. On the Contract Attributes page, click Next.
6. On the Authentication Policy Contract Summary page, click Save.
7. On the Policy Contracts page, click Done.
8. On the Authentication Policy Contract tab, select the contract created previously from the Authentication Policy Contract drop-down list and click Next.
9. On the Attribute Retrieval tab, select Use Only the Attributes Available in the SSO Assertion option, and click Next.
   
10. On the Contract Fulfillment tab, set the following, and then click Next.
    1. Select Assertion in the Source drop-down list.
    2. Select SAML_SUBJECT in the Value drop-down list.
       
11. On the Issuance Criteria tab, click Next.
    
12. To complete the configuration, click Done on the Authentication Policy Mapping Summary tab. Then, on the Target Session Mapping tab, click Next.
13. On the User-Session Creation Summary tab, review the information and click Done to return to the User-Session Creation tab.
14. On the User Session Creation tab, click Next.
    
15. On the Protocol Settings tab, click Configure Protocol Settings.

Note: The Protocol Settings tab displays the currently configured values from the metadata.

16. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata, and click Next.
    
17. On the Allowable SAML Bindings tab, ensure only the POST and REDIRECT checkboxes are selected, and then click Next.
    
18. On the Overrides tab, click Next.
19. On the Signature Policy tab, select Use SAML-Standard Signature Requirements and click Next.
    
20. On the Encryption Policy tab, keep the default selection of None and click Next.
    
21. On the Protocol Settings Summary tab, review and click Done.
22. On the Protocol Settings tab, click Next.
23. On the Browser SSO Summary tab, review the settings and click Done.
24. On the Browser SSO tab, click Next.
    
25. On the Credentials tab, verify if the IdP signing certificate is available, and then click Next.

Note: The signing public key was included because you imported metadata. 

26. On the Activation and Summary tab, ensure the Connection Status is Active, make note of the SSO Application Endpoint URL, and click Save.
    
27. On the IdP Connections page, locate the created IdP connection, open the Select Action list, and click Export Metadata.
    

Note: If temporary placeholder values were used during the CAS configuration, return and update them with the values from the PingFederate metadata file

28. In the PingFederate administrative console, navigate to Applications > SP Connections, and click the third-party application SAML SP connection.
    
29. Go to the Assertion Creation section and click Authentication Source Mapping.
    
30. On the Authentication Source Mapping tab, click Map New Authentication Policy.
31. On the Authentication Policy Contract tab, choose the contract created previously in the Authentication Policy Contract drop-down list, and click Next.
32. On the Mapping Method page, click Next.
    
33. On the Attribute Contract Fulfillment tab, choose Authentication Policy Contract in the Source drop-down list and subject in the Value drop-down list.
34. Click Next.
    
35. On the Issuance Criteria page, click Next.
36. On the Summary page, review the information and click Save.
37. In the PingFederate administrative web console, navigate to Authentication > Policies and then click Add Policy.
    
38. On the Policy page, enable the policy contract created previously.
    
39. On the Issuance Criteria tab, click Next.
40. On the Summary tab, review the information and click Done.
41. On the Policy page, click Done.
42. On the Policies page, click Save to complete the configuration process. Configure the authentication policy as shown in the following information:
    1. The first Action branch is configured to HTML form authentication method.
    2. The second Action branch is configured to use RSA ID Plus IdP connection previously configured.
    3. The third Action branch is configured to use an Authentication Policy Contract to take attributes from the IdP connection and send them to the created SAML SP.
       
43. Click Options on the IdP Connection (second Action branch).
44. On the Incoming User ID pop-up window, choose the Adapter in the Source dropdown list, username in the Attribute drop-down list, and click Done.
    
45. Click Contract Mapping on the Policy Contract (third Action branch).
46. On the Attribute Sources & User Lookup page, click Next.
47. On the Contract Fulfillment tab, choose the IdP Connection in the Source drop-down list, choose SAML_SUBJECT in the Value drop-down list, and click Next.
    
48. On the Issuance Criteria tab, click Next.
49. On the Summary tab, review the information and click Done.
50. On the Policy page, click Done.
51. On the Policies page, click Save to complete the configuration process.

The configuration is complete.

Note: To access and verify the required settings, go to System > Server > Protocol Settings, then under the Federation Info tab, note the Base URL used in the CAS configuration. Additionally, verify that the SAML 2.0 Entity ID field contains a valid and unique value, as it will also be used in the CAS configuration.