Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SAS PCE for PingFederate

Integrate SafeNet Access Exchange (SAE) with PingFederate - SAML

search

Please Note:

printsuggest an edit

Integrate SafeNet Access Exchange (SAE) with PingFederate - SAML

Integrating SafeNet Access Exchange (SAE) with PingFederate is a three-step process:

  1. Configuring SafeNet Access Exchange as an identity provider (IdP) in PingFederate

  2. Configuring PingFederate as a client application in SafeNet Access Exchange

  3. Verify authentication

copy link to clipboardConfiguring SafeNet Access Exchange as an IdP in PingFederate

As prerequisites,

  1. Download the SafeNet Access Exchange metadata by performing the following steps:

    1. Open the SafeNet Access Exchange administrator console.

    2. Switch to the respective realm from the top left corner.

      Default icon

    3. In the left pane, under Configure, click Realm settings.

      Default icon

    4. In the right pane, next to Endpoints, click on the SAML2.0 Identity Provider Metadata link to open the metadata file. Save the metadata file on your local machine. You will need the metadata file while configuring SafeNet Access Exchange as an IdP in PingFederate.

      Default icon

  2. Ensure that your PingFederate instance has a Signing certificate installed. If it doesn’t, you can create or import one by following these steps.

  3. Ensure that the SAS User federation is enabled between your SafeNet Access Exchange instance and SAS PCE. Follow the steps to enable SAS User federation.

  4. Ensure to have authentication policy contract setup in place. Follow the steps to create policy contract.

Perform the following steps to configure SafeNet Access Exchange as an IdP in PingFederate:

  1. Open the PingFederate administrative console. Go to the AUTHENTICATION tab.

    Default icon

  2. In the right pane, select the IdP Connections tile.

    Default icon

  3. Under IdP Connections, click Create Connection.

    Default icon

  4. Under IdP Connection, on the Connection Type tab, ensure that BROWSER SSO PROFILES check box is selected and SAML 2.0 is selected as PROTOCOL, and then Click Next.

    Default icon

  5. On the Connection Options tab, ensure that BROWSER SSO check box is selected, and then click Next.

    Default icon

  6. On the Import Metadata tab, perform the following steps:

    1. In the METADATA field, select the FILE option.

    2. Click Choose File to search for and select the SafeNet Exchange metadata file that you saved earlier as a prerequisite.

    3. Click Next.

    Default icon

  7. On the Metadata Summary tab, click Next.

  8. On the General Info tab, values in the PARTNERS ENTITY ID (CONNECTION ID)CONNECTION NAME, and BASE URL fields are populated from the metadata file. In the CONNECTION NAME field, you can change the connection name (for example, SAE) as this is an identifier for this connection. Click Next.

    Default icon

  9. On the Browser SSO tab, click Configure Browser SSO.

  10. Under Browser SSO, on the SAML Profiles tab, perform the following steps:

    1. Under Single Sign-On (SSO) Profiles, select the IDP-INITIATED SSO and SP-INITIATED SSO profiles.

    2. Click Next.

    Default icon

  11. On the User-Session Creation tab, click Configure User-Session Creation.

  12. Under User-Session Creation, on the Identity Mapping tab, ensure that the ACCOUNT MAPPING option is selected, and then click Next.

    Default icon

  13. On the Attribute Contract tab, a list of user attributes that the IdP will include in the assertion is displayed. Click Next.

  14. On the Target Session Mapping tab, click Map New Authentication Policy to map an authentication policy contract for each service provider.

    Default icon

  15. Under Authentication Policy Mapping, on the Authentication Policy Contract tab, in the AUTHENTICATION POLICY CONTRACT field, select policy contract, and then click Next.

    Default icon

  16. On the Attribute Retrieval tab, ensure that the USE ONLY THE ATTRIBUTES AVAILABLE IN THE SSO ASSERTION option is selected, and then click Next.

    Default icon

  17. On the Contract Fulfillment tab, perform the following steps:

    1. For each Authentication Policy Contract, in the Source column, select Assertion.

    2. For each Authentication Policy Contract, in the Value column, select a value as per your preferred configuration.

    3. Click Next.

    Default icon

  18. On the Issuance Criteria tab, click Next.

  19. On the Summary tab, review the configuration, and then click Done.

  20. Under User-Session Creation, on the Target Session Mapping tab, click Next.

  21. On the Summary tab, review the configuration, and then click Done.

  22. Under Browser SSO, on the User-Session Creation tab, click Next.

  23. On the Protocol Settings tab, click Configure Protocol Settings.

  24. Under Protocol Settings, on the SSO Service URLs tab, perform the following steps:

    1. If the values are auto-populated in the Binding and Endpoint URL columns due to metadata upload, from the Action column, click Delete to delete the SOAP and Artifact Binding fields. You need to keep only POST and Redirect bindings.

      Or

      If values are not populated in the Binding column,

      • In the drop-down list, select POST.

      • In the Endpoint URL column, in the field, enter the SingleSignOnService URL of SafeNet Access Exchange from the metadata file you downloaded as a prerequisite, and click Add.

      • Repeat the previous two steps to add the Redirect binding.

    2. Click Next.

    Default icon

  25. On the Allowable SAML Bindings tab, select POST and REDIRECT check boxes, and then click Next.

  26. On the Overrides tab, click Next.

  27. On the Signature Policy tab, ensure that the USE SAML-STANDARD SIGNATURE REQUIREMENTS option is selected, and then click Next.

  28. On the Encryption Policy tab, ensure that the NONE option is selected, and then click Next.

  29. On the Summary tab, click Done.

  30. Under Browser SSO, on the Protocol Settings tab, click Next.

  31. On the Summary tab, review the configuration, scroll down, and then click Done.

    Default icon Default icon

  32. Under IdP Connection, on the Browser SSO tab, click Next.

  33. On the Credentials tab, ensure that you the certificate is populated under the Credential Requirement section, and then click Next.

  34. Under IdP Connection, on the Activation & Summary tab, scroll down and click Save.

  35. On the IdP Connections window, the IdP connection you have just configured is listed. In the Action column, click Select Action > Export Metadata to export the metadata.

    Default icon

  36. Under Metadata Export, perform the following steps:

    1. Go to the Metadata Signing tab, in the SIGNING CERTIFICATE field, select the certificate that you want to use for signing assertions.

    2. In the SIGNING ALGORITHM field, select the signing algorithm.

    3. Click Next.

    Default icon

  37. On the Export & Summary tab, scroll down, click Export, and then click Done.

copy link to clipboardConfiguring PingFederate as a Client Application in SafeNet Access Exchange

After completing the first step of configuring SafeNet Access Exchange in PingFederate, the second step is to activate the PingFederate application in SafeNet Access Exchange by performing the following steps:

  1. On the SafeNet Access Exchange console, under Manage, click Clients.

    Default icon

  2. On the Clients window, click Import client.

    Default icon

  3. On the Import client window, perform the following steps:

    1. Click Browse to import the PingFederate metadata that you downloaded earlier. The Client ID will be populated automatically.

    2. In the Name field, enter a name for the connection.

    3. Scroll down and click Save.

    Default icon

  4. The client settings will appear. Review the settings, scroll down, and click Save.

copy link to clipboardVerify Authentication

  1. Navigate to the application login URL (for example, Salesforce) and on the login page, click Log In with a Different Provider.

  2. Search and select the identity provider name (for example, pfpce) that you created while configuring Salesforce.

    Default icon

    You will be redirected to SAS PCE via PingFederate for authentication as per your selected flow.

    Default icon

    note

    Note

    If multiple IdP connections are configured in PingFederate, you will need to select the appropriate authentication system, as illustrated in the screen below. After making your selection, you will be redirected to SAS PCE via PingFederate for authentication as per your selected flow.
    Default icon

  3. Enter your login credentials and you should be logged into the application after successful authentication.

    Default icon

    Default icon

On this page