PingOne (SAML-P) configuration

This how-to guide describes how to configure U4IDS with PingOne, a SAML-P provider. For more information about SAML-P see SAML V2.0 Protocol. In this example we use PingOne which is a cloud IdP that does not require any installation.

This is a how-to guide and it does not explain the terminology. For more information about tenant see registering a tenant and Configuration of a tenant

Prerequisites

Note: The list of official IDS environments can be found here

Steps

Add and configure a new Application

In PingOne the registration of U4IDS is done by adding a new Application.

  1. In the Applications tab, click Add Application and select New SAML Application option.

  2. Fill in the name, description, select category and continue to the next screen.

  3. Choose I have the SAML configuration. U4IDS does not expose SAML SP metadata in the current version.

  4. Configure the Assertion Consumer Service (ACS) to point to the authority address of U4IDS plus the path /AuthServices/Acs. In our case this is https://u4ids-dev.azurewebsites.net/identity/AuthServices/Acs

  5. Select the value for Entity ID same as used in the U4IDS configuration (application settings key name is identityserver:providers:saml2:entity-id). Note that this value must be a valid URI value. Our example setup: https://u4ids-dev.azurewebsites.net/identity

  6. Click SAML Metadata to download the metadata of the configured SAML endpoint of PingOne Identity Provider. PingOne has the metadata behind the portal login, so IDS cannot access it directly like for many other SAML providers. The downloaded .xml file needs to be stored in a location that can be referenced to over HTTP. For example you could place it in DropBox and expose it as: https://www.dropbox.com/s/021qu4two349x7e/peopleplatform-unit4-saml2-metadata.xml?raw=1. In case your SAML IdP has its metadata public you do not need to do this step. The URL of the IdP Entity ID metadata is used when configuring the authority value of a tenant.

  7. Configure attributes (claims) that would be sent to U4IDS by PingOne. Make sure the attribute that you want to use for identifying the user in Unit4 systems is one of them (for example, name it email mapping to Email). The claim you use must uniquely identify the user in the given Identity Provider store.

Create and configure tenant in U4IDS

With help of PowerShell scripts or REST API create the tenant to be used with SAML-P.

Sample tenant configuration:

{
  "authority": "https://www.dropbox.com/s/021qu4two349x7e/peopleplatform-unit4-saml2-metadata.xml?raw=1",
  "description": "Example tenant using SAML towards PingOne",
  "idpRegId": "https://pingone.com/idp/cd-36679184.unit4",
  "nameClaimType": "name",
  "protocol": "saml2",
  "tenantId": "89DEC732-5AFB-4C06-A2E5-A8C8CD815FDA",
  "unit4IdClaimType": [
    "email"
  ],
  "includeIdentityScopesInConsent": true
}