Integrate SafeNet Access Exchange (SAE) with PingFederate - SAML

Integrating SafeNet Access Exchange (SAE) with PingFederate is a three-step process:

1. Configuring SafeNet Access Exchange as an identity provider (IdP) in PingFederate

2. Configuring PingFederate as a client application in SafeNet Access Exchange

3. Verify authentication

Configuring SafeNet Access Exchange as an IdP in PingFederate

As prerequisites,

1. Download the SafeNet Access Exchange metadata by performing the following steps:

   1. Open the SafeNet Access Exchange administrator console.

   2. Switch to the respective realm from the top left corner.

      

   3. In the left pane, under Configure, click Realm settings.

      

   4. In the right pane, next to Endpoints, click on the SAML2.0 Identity Provider Metadata link to open the metadata file. Save the metadata file on your local machine. You will need the metadata file while configuring SafeNet Access Exchange as an IdP in PingFederate.

      

2. Ensure that your PingFederate instance has a Signing certificate installed. If it doesn’t, you can create or import one by following these steps.

3. Ensure that the SAS User federation is enabled between your SafeNet Access Exchange instance and SAS PCE. Follow the steps to enable SAS User federation.

4. Ensure to have authentication policy contract setup in place. Follow the steps to create policy contract.

Perform the following steps to configure SafeNet Access Exchange as an IdP in PingFederate:

1. Open the PingFederate administrative console. Go to the AUTHENTICATION tab.

   

2. In the right pane, select the IdP Connections tile.

   

3. Under IdP Connections, click Create Connection.

   

4. Under IdP Connection, on the Connection Type tab, ensure that BROWSER SSO PROFILES check box is selected and SAML 2.0 is selected as PROTOCOL, and then Click Next.

   

5. On the Connection Options tab, ensure that BROWSER SSO check box is selected, and then click Next.

   

6. On the Import Metadata tab, perform the following steps:

   1. In the METADATA field, select the FILE option.

   2. Click Choose File to search for and select the SafeNet Exchange metadata file that you saved earlier as a prerequisite.

   3. Click Next.

   

7. On the Metadata Summary tab, click Next.

8. On the General Info tab, values in the PARTNERS ENTITY ID (CONNECTION ID), CONNECTION NAME, and BASE URL fields are populated from the metadata file. In the CONNECTION NAME field, you can change the connection name (for example, SAE) as this is an identifier for this connection. Click Next.

   

9. On the Browser SSO tab, click Configure Browser SSO.

10. Under Browser SSO, on the SAML Profiles tab, perform the following steps:

    1. Under Single Sign-On (SSO) Profiles, select the IDP-INITIATED SSO and SP-INITIATED SSO profiles.

    2. Click Next.

    

11. On the User-Session Creation tab, click Configure User-Session Creation.

12. Under User-Session Creation, on the Identity Mapping tab, ensure that the ACCOUNT MAPPING option is selected, and then click Next.

    

13. On the Attribute Contract tab, a list of user attributes that the IdP will include in the assertion is displayed. Click Next.

14. On the Target Session Mapping tab, click Map New Authentication Policy to map an authentication policy contract for each service provider.

    

15. Under Authentication Policy Mapping, on the Authentication Policy Contract tab, in the AUTHENTICATION POLICY CONTRACT field, select policy contract, and then click Next.

    

16. On the Attribute Retrieval tab, ensure that the USE ONLY THE ATTRIBUTES AVAILABLE IN THE SSO ASSERTION option is selected, and then click Next.

    

17. On the Contract Fulfillment tab, perform the following steps:

    1. For each Authentication Policy Contract, in the Source column, select Assertion.

    2. For each Authentication Policy Contract, in the Value column, select a value as per your preferred configuration.

    3. Click Next.

    

18. On the Issuance Criteria tab, click Next.

19. On the Summary tab, review the configuration, and then click Done.

20. Under User-Session Creation, on the Target Session Mapping tab, click Next.

21. On the Summary tab, review the configuration, and then click Done.

22. Under Browser SSO, on the User-Session Creation tab, click Next.

23. On the Protocol Settings tab, click Configure Protocol Settings.

24. Under Protocol Settings, on the SSO Service URLs tab, perform the following steps:

    1. If the values are auto-populated in the Binding and Endpoint URL columns due to metadata upload, from the Action column, click Delete to delete the SOAP and Artifact Binding fields. You need to keep only POST and Redirect bindings.

       Or

       If values are not populated in the Binding column,

       • In the drop-down list, select POST.

       • In the Endpoint URL column, in the field, enter the SingleSignOnService URL of SafeNet Access Exchange from the metadata file you downloaded as a prerequisite, and click Add.

       • Repeat the previous two steps to add the Redirect binding.

    2. Click Next.

    

25. On the Allowable SAML Bindings tab, select POST and REDIRECT check boxes, and then click Next.

26. On the Overrides tab, click Next.

27. On the Signature Policy tab, ensure that the USE SAML-STANDARD SIGNATURE REQUIREMENTS option is selected, and then click Next.

28. On the Encryption Policy tab, ensure that the NONE option is selected, and then click Next.

29. On the Summary tab, click Done.

30. Under Browser SSO, on the Protocol Settings tab, click Next.

31. On the Summary tab, review the configuration, scroll down, and then click Done.

    

32. Under IdP Connection, on the Browser SSO tab, click Next.

33. On the Credentials tab, ensure that you the certificate is populated under the Credential Requirement section, and then click Next.

34. Under IdP Connection, on the Activation & Summary tab, scroll down and click Save.

35. On the IdP Connections window, the IdP connection you have just configured is listed. In the Action column, click Select Action > Export Metadata to export the metadata.

    

36. Under Metadata Export, perform the following steps:

    1. Go to the Metadata Signing tab, in the SIGNING CERTIFICATE field, select the certificate that you want to use for signing assertions.

    2. In the SIGNING ALGORITHM field, select the signing algorithm.

    3. Click Next.

    

37. On the Export & Summary tab, scroll down, click Export, and then click Done.

Configuring PingFederate as a Client Application in SafeNet Access Exchange

After completing the first step of configuring SafeNet Access Exchange in PingFederate, the second step is to activate the PingFederate application in SafeNet Access Exchange by performing the following steps:

1. On the SafeNet Access Exchange console, under Manage, click Clients.

   

2. On the Clients window, click Import client.

   

3. On the Import client window, perform the following steps:

   1. Click Browse to import the PingFederate metadata that you downloaded earlier. The Client ID will be populated automatically.

   2. In the Name field, enter a name for the connection.

   3. Scroll down and click Save.

   

4. The client settings will appear. Review the settings, scroll down, and click Save.

Verify Authentication

1. Navigate to the application login URL (for example, Salesforce) and on the login page, click Log In with a Different Provider.

2. Search and select the identity provider name (for example, pfpce) that you created while configuring Salesforce.

   

   You will be redirected to SAS PCE via PingFederate for authentication as per your selected flow.

   

   If multiple IdP connections are configured in PingFederate, you will need to select the appropriate authentication system, as illustrated in the screen below. After making your selection, you will be redirected to SAS PCE via PingFederate for authentication as per your selected flow.
   

3. Enter your login credentials and you should be logged into the application after successful authentication.