Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SAS PCE for PingFederate

Integrate SafeNet Access Exchange (SAE) with PingFederate - OIDC

search

Please Note:

Integrate SafeNet Access Exchange (SAE) with PingFederate - OIDC

Integrating SafeNet Access Exchange (SAE) with PingFederate is a three-step process:

  1. Configuring SafeNet Access Exchange as an OIDC authorization server in PingFederate

  2. Configuring PingFederate as a client application in SafeNet Access Exchange

  3. Verify Authentication

Configuring SafeNet Access Exchange as an OIDC authorization server in PingFederate

As prerequisites,

  1. Obtain the issuer URL of the SafeNet Access Exchange instance by performing the following steps:

    1. Open the SafeNet Access Exchange administrator console.

    2. Switch to the respective realm from the top left corner.

      Default icon

    3. In the left pane, under Configure, click Realm settings.

      Default icon

    4. In the right pane, next to Endpoints, click on the OpenID Endpoint Configuration link to open the well-known endpoints of the SafeNet Access Exchange authorization server.

      Default icon

    5. Copy the issuer URL and paste it into a text editor.

      Default icon

  2. Ensure that the SSL certificate used to secure SafeNet Access Exchange HTTPS traffic is imported into the Trusted CA store in PingFederate. Refer to the steps listed here.

  3. Ensure that the SAS User federation is enabled between your SafeNet Access Exchange instance and SAS PCE. Follow the steps listed here.

  4. Ensure to have authentication policy contract setup in place. Follow the steps to create policy contract.

Perform the following steps to configure SafeNet Access Exchange as an OIDC authorization server in PingFederate:

  1. Open the PingFederate administrative console. Go to the AUTHENTICATION tab.

    Default icon

  2. In the right pane, select the IdP Connections tile.

    Default icon

  3. Under IdP Connections, Click Create Connection.

    Default icon

  4. Under IdP Connection, on the Connection Type tab, ensure that BROWSER SSO PROFILES check box is selected and OpenID Connect is selected as PROTOCOL, and then click Next.

    Default icon

  5. On the Connection Options tab, ensure that BROWSER SSO check box is selected, and then click Next.

    Default icon

  6. On the General Info tab, perform the following steps:

    1. In the ISSUER field, enter the issuer URL that you obtained as a prerequisite, and then click Load Metadata.

      Default icon

    2. In the CONNECTION NAME field, enter a name for the connection.

    3. In the CLIENT ID field, enter a client ID. It can be an alphanumeric string or a fully qualified domain name (FQDN), depending on your preferred configuration.

    4. Scroll down and click Next.

      Default icon

  7. Under IDP Connection window, on the Browser SSO tab, click on Configure Browser SSO.

  8. Under Browser SSO window, on the User-Session Creation tab, click Configure User-Session Creation.

  9. Under User-Session Creation window, on the Target Session Mapping tab, click Map New Authentication Policy.

  10. Under Authentication Policy Mapping, on the Authentication Policy Contract tab, in the AUTHENTICATION POLICY CONTRACT field, select policy contract, and then click Next.

    Default icon

  11. On the Attribute Retrieval tab, ensure that the USE ONLY THE ATTRIBUTES AVAILABLE IN THE PROVIDER CLAIMS option is selected, and then click Next.

    Default icon

  12. On the Contract Fulfillment tab, perform the following steps:

    1. For each Authentication Policy Contract, in the Source column, select Provider Claims.

    2. For each Authentication Policy Contract, in the Value column, select email or any other value as per your preferred configuration.

    3. Click Next.

    Default icon

  13. On the Issuance Criteria tab, click Next.

  14. On the Summary tab, review the configuration, and then click Done.

  15. Under User-Session Creation, on the Target Session Mapping tab, click Next.

  16. On the Summary tab, review the configuration, and then click Done.

  17. Under Browser SSO, on the User-Session Creation tab, click Next.

  18. Under Browser SSO, on the Protocol Settings tab, review the configurations once. These settings are auto-populated based on the metadata loaded earlier. Click Next.

  19. On the Summary tab, review the configuration, scroll down, and then click Done.

  20. Under IdP Connection, on the Browser SSO tab, click Next.

  21. Under IdP Connection, on the Activation & Summary tab, copy the value of Redirect URI.

  22. Review the configuration, scroll down, and click Save.

    Default icon Default icon Default icon

Configuring PingFederate as a Client Application in SafeNet Access Exchange

After completing the first step of configuring SafeNet Access Exchange in PingFederate, the second step is to activate the PingFederate application in SafeNet Access Exchange by performing the following steps:

  1. On the SafeNet Access Exchange console, under Manage, click Clients.

    Default icon

  2. Click Create client.

    Default icon

  3. On the Create client window, perform the following steps:

    1. In the Client type field, select OpenID Connect.

    2. In Client ID field, enter the client ID that you added in step 6 while configuring SafeNet Access Exchange an OIDC authorization server in PingFederate.

    3. In the Name field, enter a name for the client.

    4. Click Next.

    Default icon

  4. Turn on the Client authentication toggle and click Next.

    Default icon

  5. On the Login settings window, in the Valid redirect URIs field, enter the redirect URI that you copied in step 21 while configuring SafeNet Access Exchange as an OIDC authorization server in PingFederate.

  6. Click Save.

    Default icon

  7. The settings for the client you just created are now displayed. Go to the Credentials tab, copy the value of the Client secret field, and paste it in the text editor.

    You need to enter the Client secret in the SafeNet Exchange connection settings in PingFederate. Open the SafeNet Exchange connection on the PingFederate console, paste the value of client secret in the CLIENT SECRET field, and then save the settings.

    Default icon

Verify Authentication

  1. Navigate to the application login URL (for example, Salesforce) and on the login page, click Log In with a Different Provider.

  2. Search and select the identity provider name (for example, pfpce) that you created while configuring Salesforce.

    Default icon

    You will be redirected to SAS PCE via PingFederate for authentication as per your selected flow.

    Default icon

    If multiple IdP connections are configured in PingFederate, you will need to select the appropriate authentication system, as illustrated in the screen below. After making your selection, you will be redirected to SAS PCE via PingFederate for authentication as per your selected flow.
    Default icon

  3. Enter your login credentials and you should be logged into the application after successful authentication.

    Default icon

    Default icon

On this page