How to configure SSO via PingFederate

Short.io supports Single Sign-On (SSO) integration with PingFederate.

Note: SSO is available on the Enterprise Plan.

Before you begin

You need to create a Team in Short.io before setting up SSO. Follow the instructions in this article.

How to configure SSO with PingFederate

PingFederate settings

Before configuring your integration, you will need to create a brand new connection from within PingFederate as follows:

1. Access your PingFederate instance.

2. Choose the Identity Provider tab from the left-hand menu.

3. In the Identity Provider page click on Create New:

   

4. In the Connection Type tab select the Browser SSO Profiles connection template and click on Next:

   

5. In the Connection Options tab select Browser SSO and click on Next:

   

6. Review the information on the Metadata Summary tab and click on Next.

7. In the General Info tab ensure that the Service Provider’s Entity ID, Connection Name, and Base URL fields are pre-populated based on the metadata.

8. Click on Next.

9. Navigate to the Browser SSO tab and click on the Configure Browser SSO. You will be redirected to Browser SSO Setup wizard.

10. In the SAML Profiles tab select the IdP-Initiated SSO and SP-Initiated SSO options and click on Next.

    

11. In the Assertion Lifetime tab enter your desired assertion validity time and click on Next (the default configuration is 5 minutes).

12. Navigate to the Assertion Creation and click on Configure Assertion Creation.

13. In the Assertion creation setup wizard:

    • from the Identity Mapping tab select STANDARD and click on Next

    • from the Attribute Contract tab select a Subject Name Format for the SAML_SUBJECT and click on Next

    • from the Authentication Source Mapping tab click on Map New Adapter Instance

      

    • select an Adapter Instance and click on Next. The adapter must include the user’s email address:

      

    • from the Mapping Method tab select Use only the adapter contract values from the SAML assertion and click on Next

    • from the Attribute Contract Fulfillment tab select your adapter instance as Source and the email as Value and click on Next

      

    • skip the Issuance Criteria by clicking on Next

    • in the Summary tab click on Done

    • you are redirected back to the Activation Source Mapping tab. Click on Next to review the summary

    • in the Summary tab click on Done

    • review the Assertion Creation settings and click on Next

Configure protocol settings

You will then have to configure your protocol settings:

1. Navigate to the Protocol Settings tab of the Browser SSO wizard and click on Configure Protocol settings:

   

2. Select POST for Binding and specify the single sign-on endpoint URL in the Endpoint URL field on the Assertion Consumer Service URL:

   

3. Click on Next.

4. In the Allowable SAML Bindings tab Select POST and click on Next.

5. In the Signature Policy tab select your desired signature policies for assertions and click on Next:

   

6. In the Encryption Policy tab select your desired encryption policy for assertions and click on Next.

7. In the Protocol Settings Summary tab click on Done.

8. In the Browser SSO Summary click on Done.
   ​

   ​

Define your credentials

Next, you will need to define your Credentials.

1. In the Credentials tab, click on Configure Credentials:

   

2. In the Digital Signature Settings tab select Signing Certificate to use with the Single Sign-On service and select Include the certificate in the signature element.

   

3. Click on Done.

4. In the Summary tab Click on Done.

5. In the Credentials tab click on Next.

Metadata Export

Now that you have configured the integration, you can export your metadata to Short.io. Follow the steps below:

1. Navigate to the System Settings and choose Metadata Export.

2. From the Metadata Role tab, select I am the IDP.

   

3. Click on Next.

4. Select Use a connection for Metadata Generation and click on Next:

   

5. In the Connection Metadata tab select the SP connection you create with Short.io:

   

6. Click on Next.

7. Select signing certificate and click on Next:

   

8. Review and export the metadata file:

Short.io settings

1. Sign in to your Short.io account.

2. Navigate to the Settings and click on Teams:

   

3. Click on your team and then click SAML Configuration.

4. In the next screen:

   • enable the SAML configuration:

     

   • enter the name of your company in the SSO configuration field:

     

   • from the downloaded SAML metadata file copy the URL value of the SingleSignOnService node > Location attribute field and paste it in the Entry point URL field

   • copy the content of the X509Certificate node and paste it to the Public certificate field

   • copy the URL located in the EntityDescriptor node > EntityID attribute and paste it to the Advanced options -> Service provider issuer field

   • you can determine if a profile should be updated each time the user logs in,

     and if the users are allowed to chose their own display name:

     

   • you can change the appearance of the Sign in button by adding a custom label:

     

5. Click on Save to confirm.

You can now use the Single Sign-On with Short.io.

Note: The Short.io team configures SSO within 24 hours.

In case you need further assistance, please contact the Short.io support team at support@short.io.

Sources: https://www.netsparker.com/support/sso-configuring-pingfederate-single-sign-on-integration-with-saml/;

https://documentation.tricentis.com/qtest/9910/en/content/qtest_manager/administration/single_sign-on__sso__integration_with_ping_federate.htm;

https://plugins.miniorange.com/saml-single-sign-sso-confluence-using-pingfederate