Guide
TrainingSupportCommunity

PingFederate

Suggest Edits

This integration uses the SAML 2.0 protocol. With the SAML integration, you can connect your PingFederate solution with ​Akamai MFA​, providing the user with two-step authentication. First, the user needs to confirm their identity with your PingFederate instance, for example, using their username and password. Next, the user has to confirm that the login is legitimate using one of the ​Akamai MFA​ second factors.

Before you begin

Create a SAML Integration in Enterprise Center

How to

  1. In the PingFederate admin console, go to Authentication > Integration > IdP Connections.
  2. Click Create Connection.
  3. In the Connection Type tab, select Browser SSO Profiles.
  4. In the Protocol dropdown menu, select SAML 2.0 and click Next.
  5. In the Connection Options tab, select the Browser SSO checkbox and click Next.
  6. In the Import Metadata tab, select None and click Next.
  7. In the General Info tab, do the following:
    a. In Partner’s Entity ID (Connection ID), enter the Issuer URI you generated in Enterprise Center.
    b. In Connection Name, enter a name of your choice.
  8. Click Next.
  9. In the Browser SSO tab, click Configure Browser SSO.
  10. In the SAML Profiles tab, select both IDP-INITIATED SSO and SP-INITIATED SSO as your Single Sign-On (SSO) Profiles. Don’t select any Single Logout (SLO) Profiles.
  11. Click Next.
  12. In the User-Session Creation tab, click Configure User-Session Creation.
  13. In the Identity Mapping tab, select ACCOUNT MAPPING and click Next.
  14. In the Attribute Contract tab, click Next.
  15. In the Target Session Mapping tab, click Map New Authentication Policy.
  16. In the Authentication Policy Contract tab, expand the AUTHENTICATION POLICY CONTRACT dropdown menu and select your policy contract.
  17. Click Next.
  18. In the Attribute Retrieval tab, select USE ONLY THE ATTRIBUTES AVAILABLE IN THE SSO ASSERTION and click Next.
  19. In the Contract Fulfillment tab, do the following:
    a. Expand the Source dropdown menu for subject and select Assertion.
    b. Expand the Value dropdown menu for subject and select SAML_SUBJECT.
    c. Click Next.
  20. In the Issuance Criteria tab, you can configure optional criteria to be evaluated during the SSO transaction. Once you’ve set them up, click Next.
  21. In the Summary tab, check that the information you’ve entered is correct. Your Summary tab may look something like this:
Authentication Policy Contract
Selected contract <your contract name>
Attribute Retrieval
Attribute location Use only the attributes available in the SSO Assertion
Contract Fulfillment
subject SAML_SUBJECT(Assertion)
Issuance Criteria
Criterion <your criterion> or (None)

  1. Click Done.

    The Target Session Mapping tab opens.

  2. In the Target Session Mapping tab, you should now see your added Authentication Policy Contract Name. Click Next.

  3. In the Summary tab, check that the information you’ve entered is correct. Your Summary tab may look something like this:

Identity Mapping
Enable Account Mapping true
Attribute Contract
Attribute SAML_SUBJECT
Target Session Mapping
Authentication policy contract name <your contract name>
Authentication Policy Contract
Selected contract <your contract name>
Attribute Retrieval
Attribute location Use only the attributes available in the SSO Assertion
Contract Fulfillment
subject SAML_SUBJECT(Assertion)
Issuance Criteria
Criterion <your criterion> or (None)

  1. Click Done.

    The User-Session Creation tab opens.

  2. In the User-Session Creation tab, click Next.

  3. In the Protocol Settings tab, click Configure Protocol Settings.

  4. In the SSO Service URLs tab, do the following:
    a. Expand the Binding dropdown menu and select POST.
    b. In Endpoint URL, enter the SSO URL you generated in Enterprise Center.
    c. In Action, click Add.
    d. Click Next.

  5. In the Allowable SAML Bindings tab, deselect the ARTIFACT, REDIRECT and SOAP bindings. The POST binding should be the only one that remains selected.

  6. Click Next.

  7. In the Overrides tab, click Next.

  8. In the Signature Policy tab, do the following:
    a. Select the SPECIFY ADDITIONAL SIGNATURE REQUIREMENTS checkbox.
    b. Select the SIGN AUTHN REQUESTS SENT OVER POST AND REDIRECT BINDINGS checkbox.
    c. Click Next.

  9. In the Encryption Policy tab, select NONE and click Next.

  10. In the Summary tab, check that the information you’ve entered is correct. Your Summary tab may look something like this:

SSO Service URLs
Endpoint <your SSO URL>
Allowable SAML Bindings
Artifact false
POST true
Redirect false
SOAP false
Overrides
Signature Policy
Sign AuthN requests over POST and Redirect true
Require digitally signed SAML Assertion false
Encryption Policy
Status Inactive

  1. Click Done.

    The Protocol Settings tab opens.

  2. In the Protocol Settings tab, click Next.

  3. In the Summary tab, check that the information you’ve entered is correct. Your Summary tab may look something like this:

Browser SSO
SAML Profiles
IdP-initiated SSO true
IdP-initiated SLO false
SP-initiated SSO true
SP-initiated SLO false
User-Session Creation
Identity Mapping
Enable Account Mapping true
Attribute Contract
Attribute SAML_SUBJECT
Target Session Mapping
Authentication policy contract name <your contract name>
Authentication Policy Contract
Selected contract <your contract name>
Attribute Retrieval
Attribute location Use only the attributes available in the SSO Assertion
Contract Fulfillment
subject SAML_SUBJECT(Assertion)
Issuance Criteria
Criterion <your criterion> or (None)
Protocol Settings
SSO Service URLs
Endpoint URL: <your SSO URL> (POST)
Allowable SAML Bindings
Artifact false
POST true
Redirect false
SOAP false
Overrides
Signature Policy
Sign AuthN requests over POST and Redirect true
Require digitally signed SAML Assertion false
Encryption Policy
Status Inactive

  1. Click Done.

    The Browser SSO tab opens.

  2. In the Browser SSO tab, click Next.

  3. In the Credentials tab, click Configure Credentials.

  4. In the Digital Signature Settings tab, do the following:
    a. Expand the SIGNING CERTIFICATE dropdown menu and select your certificate.
    b. Select the INCLUDE THE CERTIFICATE IN THE SIGNATURE ELEMENT checkbox.
    c. Select the INCLUDE THE RAW KEY IN THE SIGNATURE ELEMENT checkbox.
    d. Expand the SIGNING ALGORITHM dropdown menu and select RSA SHA256.
    e. Click Next.

  5. In the Signature Verification Settings tab, click Manage Signature Verification Settings.

  6. In the Trust Model tab, select UNANCHORED and click Next.

  7. In the Signature Verification Certificate tab, click Manage Certificates.

  8. On the Certificate Management screen, click Import.

  9. In the Import Certificate tab, click Choose File.

    OS File Manager opens.

  10. Choose your certificate file that you generated and downloaded in the first step of the SAML Integration in Enterprise Center.

  11. Click Next.

  12. Back in the Import Certificate tab, you can now see the details of your certificate.

  13. Click Save and Done.

  14. Your certificate is now listed in the Signature Verification Certificate tab.

  15. Click Next.

  16. In the Summary tab, check that the information you’ve entered is correct. Your Summary tab may look something like this:

Trust Model
Trust Model Unanchored
Signature Verification Certificate
Active Certificate 1 <your certificate>
  1. Click Done.
  2. In the Signature Verification Settings tab, click Next.
  3. In the Summary tab, check that the information you’ve entered is correct. Your Summary tab may look something like this:
Credentials
Digital Signature Settings
Selected Certificate <your credentials certificate>
Include Certificate in KeyInfo true
Include Raw Key in KeyValue true
Select Signing Algorithm RSA SHA256
Signature Verification
Trust Model
Trust Model Unanchored
Signature Verification Certificate
Active Certificate 1 <your certificate>
  1. Click Done.
  2. In the Credentials tab, click Next.
  3. In the Activation & Summary tab, you can once more go over your settings before activating the connection. If everything is correct, click Save.
  4. The IdP Connections screen opens. Your new connection is now present on the list.
  5. In the Action tab of the IdP Connection, click Select Action to expand the dropdown menu.
  6. Download the metadata by clicking the Export Metadata link.
  7. Upload the exported metadata to the SAML integration you created in Enterprise Center. To upload, in your integration settings, click Provision > Metadata.
  8. Select your metadata file and click Upload.
  9. Save and deploy your integration.

You've just configured a SAML integration between your PingFederate solution and ​​Akamai MFA​.

Updated about 1 year ago