Skip to main content

How to configure SSO via PingFederate

View as Markdown

Short.io supports Single Sign-On (SSO) integration with PingFederate.

Note

SSO is available on the Enterprise Plan.

Before you begin

You need to create a Team in Short.io before setting up SSO. Follow the instructions in this article.

How to configure SSO with PingFederate

PingFederate settings

Before configuring your integration, you will need to create a brand new connection from within PingFederate as follows:

  1. Access your PingFederate instance.

  2. Choose the Identity Provider tab from the left-hand menu.

  3. In the Identity Provider page click on Create New:

    PingFederate Identity Provider page with Create New button highlighted

  4. In the Connection Type tab select the Browser SSO Profiles connection template and click on Next:

    Connection Type tab with Browser SSO Profiles template selected

  5. In the Connection Options tab select Browser SSO and click on Next:

    Connection Options tab with Browser SSO option selected

  6. Review the information on the Metadata Summary tab and click on Next.

  7. In the General Info tab ensure that the Service Provider’s Entity ID, Connection Name, and Base URL fields are pre-populated based on the metadata.

  8. Click on Next.

  9. Navigate to the Browser SSO tab and click on the Configure Browser SSO. You will be redirected to Browser SSO Setup wizard.

  10. In the SAML Profiles tab select the IdP-Initiated SSO and SP-Initiated SSO options and click on Next.

    SAML Profiles tab with IdP-Initiated and SP-Initiated SSO options selected

  11. In the Assertion Lifetime tab enter your desired assertion validity time and click on Next (the default configuration is 5 minutes).

  12. Navigate to the Assertion Creation and click on Configure Assertion Creation.

  13. In the Assertion creation setup wizard:

    • from the Identity Mapping tab select STANDARD and click on Next

    • from the Attribute Contract tab select a Subject Name Format for the SAML_SUBJECT and click on Next

    • from the Authentication Source Mapping tab click on Map New Adapter Instance

      Authentication Source Mapping tab with Map New Adapter Instance button

    • select an Adapter Instance and click on Next. The adapter must include the user’s email address:

      Adapter Instance selection with Adapter dropdown and subject contract

    • from the Mapping Method tab select Use only the adapter contract values from the SAML assertion and click on Next

    • from the Attribute Contract Fulfillment tab select your adapter instance as Source and the email as Value and click on Next

      Attribute Contract Fulfillment with Adapter source and subject value selected

    • skip the Issuance Criteria by clicking on Next

    • in the Summary tab click on Done

    • you are redirected back to the Activation Source Mapping tab. Click on Next to review the summary

    • in the Summary tab click on Done

    • review the Assertion Creation settings and click on Next

Configure protocol settings

You will then have to configure your protocol settings:

  1. Navigate to the Protocol Settings tab of the Browser SSO wizard and click on Configure Protocol settings:

    Protocol Settings tab with Configure Protocol Settings button

  2. Select POST for Binding and specify the single sign-on endpoint URL in the Endpoint URL field on the Assertion Consumer Service URL:

    Assertion Consumer Service URL tab with POST binding and endpoint URL configured

  3. Click on Next.

  4. In the Allowable SAML Bindings tab Select POST and click on Next.

  5. In the Signature Policy tab select your desired signature policies for assertions and click on Next:

    Signature Policy tab with signing and authentication request options selected

  6. In the Encryption Policy tab select your desired encryption policy for assertions and click on Next.

  7. In the Protocol Settings Summary tab click on Done.

  8. In the Browser SSO Summary click on Done.

Define your credentials

Next, you will need to define your Credentials.

  1. In the Credentials tab, click on Configure Credentials:

    Credentials tab with Configure Credentials button

  2. In the Digital Signature Settings tab select Signing Certificate to use with the Single Sign-On service and select Include the certificate in the signature element.

    Digital Signature Settings with signing certificate and algorithm selected

  3. Click on Done.

  4. In the Summary tab Click on Done.

  5. In the Credentials tab click on Next.

Metadata Export

Now that you have configured the integration, you can export your metadata to Short.io. Follow the steps below:

  1. Navigate to the System Settings and choose Metadata Export.

  2. From the Metadata Role tab, select I am the IDP.

    Metadata Export with I am the Identity Provider role selected

  3. Click on Next.

  4. Select Use a connection for Metadata Generation and click on Next:

    Metadata Mode tab with Use a connection for Metadata Generation selected

  5. In the Connection Metadata tab select the SP connection you create with Short.io:

    Connection Metadata tab with SP connection and attribute contract details

  6. Click on Next.

  7. Select signing certificate and click on Next:

    Metadata Signing tab with signing certificate and RSA SHA256 algorithm

  8. Review and export the metadata file:

Metadata Export summary with Export button highlighted

Short.io settings

  1. Sign in to your Short.io account.

  2. Navigate to the Settings and click on Teams:

    Short.io Settings with Teams and SAML configuration options highlighted

  3. Click on your team and then click SAML Configuration.

  4. In the next screen:

    • enable the SAML configuration:

      SAML configuration section with Config enabled toggle

    • enter the name of your company in the SSO configuration field:

      SAML configuration with SSO configuration name field highlighted

    • from the downloaded SAML metadata file copy the URL value of the SingleSignOnService node > Location attribute field and paste it in the Entry point URL field

    • copy the content of the X509Certificate node and paste it to the Public certificate field

    • copy the URL located in the EntityDescriptor node > EntityID attribute and paste it to the Advanced options -> Service provider issuer field

    • you can determine if a profile should be updated each time the user logs in,

      and if the users are allowed to chose their own display name:

      Profile update and display name settings checkboxes

    • you can change the appearance of the Sign in button by adding a custom label:

      Custom label field for Sign in button with Save button highlighted

  5. Click on Save to confirm.

You can now use the Single Sign-On with Short.io.

Note

The Short.io team configures SSO within 24 hours.

In case you need further assistance, please contact the Short.io support team at support@short.io.

Sources: https://www.netsparker.com/support/sso-configuring-pingfederate-single-sign-on-integration-with-saml/;

https://documentation.tricentis.com/qtest/9910/en/content/qtest_manager/administration/single_sign-on__sso__integration_with_ping_federate.htm;

https://plugins.miniorange.com/saml-single-sign-sso-confluence-using-pingfederate