Create service provider (SP) connections in PingFederate

Contributors netapp-madkat

You use PingFederate to create a service provider (SP) connection for each Admin Node in your system. To speed up the process, you will import the SAML metadata from StorageGRID.

What you’ll need
  • You have configured single sign-on for StorageGRID and you selected Ping Federate as the SSO type.

  • Sandbox mode is selected on the Single sign-on page in Grid Manager. See Use sandbox mode.

  • You have the SP connection ID for each Admin Node in your system. You can find these values in the Admin Nodes detail table on the StorageGRID Single Sign-on page.

  • You have downloaded the SAML metadata for each Admin Node in your system.

  • You have experience creating SP connections in PingFederate Server.

  • You have the Administrator’s Reference Guide for PingFederate Server. The PingFederate documentation provides detailed step-by-step instructions and explanations.

  • You have the Admin permission for PingFederate Server.

About this task

These instructions summarize how to configure PingFederate Server version 10.3 as an SSO provider for StorageGRID. If you are using another version of PingFederate, you might need to adapt these instructions. Refer to the PingFederate Server documentation for detailed instructions for your release.

Complete prerequisites in PingFederate

Before you can create the SP connections you will use for StorageGRID, you must complete prerequisite tasks in PingFederate. You will use information from these prerequisites when you configure the SP connections.

Create data store

If you haven’t already, create a data store to connect PingFederate to the AD FS LDAP server. Use the values you used when configuring identity federation in StorageGRID.

  • Type: Directory (LDAP)

  • LDAP Type: Active Directory

  • Binary Attribute Name: Enter objectGUID on the LDAP Binary Attributes tab exactly as shown.

Create password credential validator

If you haven’t already, create a password credential validator.

  • Type: LDAP Username Password Credential Validator

  • Data store: Select the data store you created.

  • Search base: Enter information from LDAP (for example, DC=saml,DC=sgws).

  • Search filter: sAMAccountName=${username}

  • Scope: Subtree

Create IdP adapter instance

If you haven’t already, create an IdP adapter instance.

  1. Go to Authentication > Integration > IdP Adapters.

  2. Select Create New Instance.

  3. On the Type tab, select HTML Form IdP Adapter.

  4. On the IdP Adapter tab, select Add a new row to 'Credential Validators'.

  5. Select the password credential validator you created.

  6. On the Adapter Attributes tab, select the username attribute for Pseudonym.

  7. Select Save.

Create or import signing certificate

If you haven’t already, create or import the signing certificate.

  1. Go to Security > Signing & Decryption Keys & Certificates.

  2. Create or import the signing certificate.

Create an SP connection in PingFederate

When you create an SP connection in PingFederate, you import the SAML metadata you downloaded from StorageGRID for the Admin Node. The metadata file contains many of the specific values you need.

Important You must create an SP connection for each Admin Node in your StorageGRID system, so that users can securely sign in to and out of any node. Use these instructions to create the first SP connection. Then, go to Create additional SP connections to create any additional connections you need.

Choose SP connection type

  1. Go to Applications > Integration > SP Connections.

  2. Select Create Connection.

  3. Select Do not use a template for this connection.

  4. Select Browser SSO Profiles and SAML 2.0 as the protocol.

Import SP metadata

  1. On the Import Metadata tab, select File.

  2. Choose the SAML metadata file you downloaded from the StorageGRID Single sign-on page for the Admin Node.

  3. Review the Metadata Summary and the information on the General Info tab.

    The Partner’s Entity ID and the Connection Name are set to the StorageGRID SP connection ID. (for example, 10.96.105.200-DC1-ADM1-105-200). The Base URL is the IP of the StorageGRID Admin Node.

  4. Select Next.

Configure IdP Browser SSO

  1. From the Browser SSO tab, select Configure Browser SSO.

  2. On the SAML profiles tab, select the SP-initiated SSO, SP-initial SLO, IdP-initiated SSO, and IdP-initiated SLO options.

  3. Select Next.

  4. On the Assertion Lifetime tab, make no changes.

  5. On the Assertion Creation tab, select Configure Assertion Creation.

    1. On the Identity Mapping tab, select Standard.

    2. On the Attribute Contract tab, use the SAML_SUBJECT as the Attribute Contract and the unspecified name format that was imported.

  6. For Extend the Contract, select Delete to remove the urn:oid, which is not used.

Map adapter instance

  1. On the Authentication Source Mapping tab, select Map New Adapter Instance.

  2. On the Adapter instance tab, select the adapter instance you created.

  3. On the Mapping Method tab, select Retrieve Additional Attributes From a Data Store.

  4. On the Attribute Source & User Lookup tab, select Add Attribute Source.

  5. On the Data Store tab, provide a description and select the data store you added.

  6. On the LDAP Directory Search tab:

    • Enter the Base DN, which should exactly match the value you entered in StorageGRID for the LDAP server.

    • For the Search Scope, select Subtree.

    • For the Root Object Class, search for the objectGUID attribute and add it.

  7. On the LDAP Binary Attribute Encoding Types tab, select Base64 for the objectGUID attribute.

  8. On the LDAP Filter tab, enter sAMAccountName=${username}.

  9. On the Attribute Contract Fulfillment tab, select LDAP (attribute) from the Source drop-down and select objectGUID from the Value drop-down.

  10. Review and then save the attribute source.

  11. On the Failsave Attribute Source tab, select Abort the SSO Transaction.

  12. Review the summary and select Done.

  13. Select Done.

Configure protocol settings

  1. On the SP Connection > Browser SSO > Protocol Settings tab, select Configure Protocol Settings.

  2. On the Assertion Consumer Service URL tab, accept the default values, which were imported from the StorageGRID SAML metadata (POST for Binding and /api/saml-response for Endpoint URL).

  3. On the SLO Service URLs tab, accept the default values, which were imported from the StorageGRID SAML metadata (REDIRECT for Binding and /api/saml-logout for Endpoint URL.

  4. On the Allowable SAML Bindings tab, unselect ARTIFACT and SOAP. Only POST and REDIRECT are required.

  5. On the Signature Policy tab, leave the Require Authn Requests to be Signed and Always Sign Assertion check boxes selected.

  6. On the Encryption Policy tab, select None.

  7. Review the summary and select Done to save the protocol settings.

  8. Review the summary and select Done to save the Browser SSO settings.

Configure credentials

  1. From the SP Connection tab, select Credentials.

  2. From the Credentials tab, select Configure Credentials.

  3. Select the signing certificate you created or imported.

  4. Select Next to go to Manage Signature Verification Settings.

    1. On the Trust Model tab, select Unanchored.

    2. On the Signature Verification Certificate tab, review the signing certificate information, which was imported from the StorageGRID SAML metadata.

  5. Review the summary screens and select Save to save the SP connection.

Create additional SP connections

You can copy the first SP connection to create the SP connections you need for each Admin Node in your grid. You upload new metadata for each copy.

Note The SP connections for different Admin Nodes use identical settings, with the exception of the Partner’s Entity ID, Base URL, Connection ID, Connection Name, Signature Verification, and SLO Response URL.
  1. Select Action > Copy to create a copy of the initial SP connection for each additional Admin Node.

  2. Enter the Connection ID and Connection Name for the copy, and select Save.

  3. Choose the metadata file corresponding to the Admin Node:

    1. Select Action > Update with Metadata.

    2. Select Choose File and upload the metadata.

    3. Select Next.

    4. Select Save.

  4. Resolve the error due to the unused attribute:

    1. Select the new connection.

    2. Select Configure Browser SSO > Configure Assertion Creation > Attribute Contract.

    3. Delete the entry for urn:oid.

    4. Select Save.