Integrating Trusona with Ping Federate

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Ping Federate.

What’s in this doc

Prerequisites

  1. Install Trusona on your device and complete registration
  2. Email support@trusona.com with the following information:
    • Subject: “Ping Federate integration”
    • Company name
    • Base URL of your Ping installation
    • Email domain(s) associated with your Ping Federate users
  3. Trusona will in turn provide you with:
    • Service Provider SAML metadata endpoint URL

This guide was written using Ping Federate v9.3.1. This integration also works on Ping v8.4+, but the steps and screenshots described below will vary.

Ping Federate configuration

System Protocols

To configure Trusona with Ping, your system will need to understand SAML 2.0. The following steps accomplish that.

  1. Go to SystemProtocol SettingsRoles & Protocols
  2. Check the boxes alongside: ENABLE SERVICE PROVIDER (SP) ROLE AND SUPPORT THE FOLLOWING and SAML 2.0
  3. Click on Save
System protocols

Service Provider IDP Connection

  1. Go to the Service Provider tab
  2. Under IDP Connections, click on Create New
  3. Confirm that Browser SSO Profiles is selected. Click on Next
  4. Only Browser SSO should be selected. Click on Next
  5. For METADATA, select URL then → Manage Partner Metadata URLsAdd New URL
  6. Follow the subsequent steps to successfully add and load the remote metadata by specifying the metadata URL provided to you
  7. Click on Save then Next
  8. Accept the default values, and click on Next
  9. Click on Configure Browser SSO
  10. Select the SP-INITIATED SSO checkbox then click on Next
  11. Click on Configure User-Session Creation
  12. Select NO MAPPING and click on Next
  13. Accept the default values under Attribute Contract and click on Next, then click on Done
  14. Click on Next
  15. Click on Configure Protocol Settings
  16. Accept the default values and click on Next
  17. Under Allowable SAML Bindings only POST should be checked.
  18. Click on Next
  19. Accept the default values under Overrides
  20. Click on Next
  21. Under Signature Policy, select USE SAML-STANDARD SIGNATURE REQUIREMENTS and click on Next
  22. Under Encryption Policy, select NONE and click on Next
  23. Click through the subsequent screens, either the Done or Next buttons, and arrive at the Summary
  24. Compare with the screenshot below, then click on Save
Service Provider IDP Connection Summary
Service Provider IDP Connection Summary, cont

Service Provider Selector

  1. Go to Service ProviderSelectors
  2. Click on Create New Instance
  3. Provide memorable a Instance Name and Instance ID
  4. For Type select HTTP Request Parameter Authentication Selector and click on Next
  5. For HTTP REQUEST PARAMETER NAME specify trusona
  6. Uncheck CASE-SENSITIVE MATCHING and click on Next
  7. Enter 1 as a Result Value and click on Add, then click on Next
  8. Compare with the screenshot below, click on Done, then click on Save
Trusona HTTP Request Selector

Authentication Policy Contract

Only do this if there are no existing Authentication Policy Contracts

  1. Go to Service ProviderPolicy Contracts
  2. Click on Create New Contract
  3. Specify a memorable Contract Name and click on Next
  4. Accept the default values, and click on Next
  5. Click on Done and then click on Save
Policy Contract Summary

Identity Provider Adapter

  1. Go to Identity ProviderAdaptersCreate New Instance
  2. Specify an Instance Name and Instance ID
  3. For the Type select HTML Form IdP Adapter
  4. Do not select a Parent Instance then click on Next
  5. Click on Add a new row to Credential Validators and select an existing Password Credential Validator
  6. Click on Update
  7. Make additional changes to the rest of the settings as necessary for your organization, and click on Next
  8. Click on Next to accept the default Adapter Attributes
  9. Check the box on the username attribute on the Pseudonym column and click on Next
  10. Click on Done
IDP Summary
IDP Summary cont.

Authentication Policies: Selector Policy

  1. Go to Service ProviderPoliciesAdd Policy
    • Optionally, you may update an existing Selector Policy
  2. Select the Selector policy that was previously created.
  3. Under 1 select the IDP connection that was previously created.
  4. Select a FAIL Rule of Done
  5. Select the previously created Policy Contract as Success
Selector policy
  1. Click on Contract Mapping, then click on Next
  2. On the Source column select the IDP connection that was previously created
  3. On the Value column select SAML_SUBJECT
  4. Click on Next
  5. Click on Next
Selector policy cont.
  1. Compare screenshots, then click on Done
  2. Click on Done then click on Save

Authentication Policies: Adapter Policy

  1. Go to Service ProviderPoliciesAdd Policy
    • Optionally, you may update an existing Adapter Policy
  2. Select the IDP Adapter that was previously created.
  3. Select a FAIL Rule of Done
  4. Select the previously created Policy Contract as Success
Adapter policy
  1. Click on Contract Mapping, then click on Next
  2. On the Source column select the created IDP Adapter
  3. On the Value column select username
  4. Click on Next
  5. Click on Next
Adapter policy cont.
  1. Compare screenshots, then click on Done
  2. Click on Done then click on Save

Ordering of Authentication Policies

The order of the authentication policies matters.

For the newly created policies, ensure that the Selector Policy is listed BEFORE the Adapter Policy.

Use the provided UI controls to make any necessary changes.

Policy ordering

Identity Provider SP Connection

  1. Go to Identity ProviderSP ConnectionsCreate New
  2. Under Connection Template accept the default and click on Next
  3. Click on Next
  4. Under Connection Options check the Browser SSO box and click on Next
  5. Select None under Import Metadata and click on Next
  6. Specify memorable values for the required fields and click on Next
  7. Click on Configure Browser SSO
  8. Select IDP-INITIATED SSO and click on Next
  9. Click on Next
  10. Click on Configure Assertion Creation
  11. Select the STANDARD Identity Mapping and click on Next
  12. Click on Next
  13. Click on Map New Authentication Policy
  14. Select the previously created Authentication Policy Contract and click on Next
  15. Select USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION and click on Next
  16. Under the Source column select Authentication Policy Contract
  17. Under the Value column select subject and click on Next
  18. Click through the next set of screens, either Next or Done
  19. Click on Configure Protocol Settings
  20. Specify an Index value of 0
  21. Select a Binding value of POST
  22. Specify an Endpoint URL $PingBaseFederateURL/idp/startSSO.ping

    Replace $PingBaseFederateURL with the correct value for your deployment

  23. Click on Add then click on Next
  24. Click through the next series of screens and get to the Browser SSO Summary
IDP SP Connection
  1. Compare screenshots and click on Done
  2. Click on Next
  3. Click on Configure Credentials
  4. Complete the subsequent steps based on your Ping Federate deployment.
  5. Compare screenshots and click on Save
IDP SP Connection cont.

Modified HTML Template

Your Ping Federate login template should be modified to include the “Login with Trusona” button.

Trusona provides a template that can replace the default html.form.login.template.html login template.

If you’re already using a custom template, you can add the “Login with Trusona” button to your existing template with the following HTML snippet:

<a onclick="location.replace(location.href + '&trusona=1')" title="Login With Trusona">Login With Trusona</a>

Modified Default Login

Modified default template

Custom Trusona Login

Trusona template