Issuer Entity ID: This is the entity ID of the SailPoint IIQ server that is configured in the SSO settings
PingFederate IdP URL: This is the SAML SP-Initiated SSO federation endpoint configured within SailPoint IIQ, where the common format of the URL is: https://sso-server.yourdomain.com:9031/idp/SSO.saml2
SailPoint IIQ ACS URL: This is the Assertion Consumer Service enpoint that PingFederate uses to send the SAML assertion
SSO Binding: The most common is to use HTTP-POST binding
Digital Signing Certificate: The certificate within PingFederate for the SAML SP Connection used to sign the SAML assertion
The remainder of this article discusses how to configure the PingFederate IdP server, mainly the SP Connector for SailPoint. We will show the high level configuration and the key points when configuring the SP Connection in PingFederate. This post assumes that you have some experience with PingFederate and the configuration of a SP Connector as we will discuss the key points that make the SSO interface to SailPoint IIQ operate properly.
When configuring the SP Connector in PingFederate, be sure to enter Partners Entity ID with the the Issuer Entity ID value from the SailPoint IIQ SSO configuration. From my previous blog post this would be the value youriiq-server.yourdomain.com.
PingFederate is very dynamic as evidenced from number of IdP Adapters that can be used for authentication. A common integration is to use the HTML Form IdP adapter and a Password Credential Validator (PCV) configured for LDAP, mainly Active Directory (AD). The SP Connection would configure those components such that the SAML Attribute Fulfillment for SAML Subject would leverage the username returned from the HTML Form IdP Adapter. The key to the integration is the format of the username (e.g. sAMAccountName, email, etc) and how the SailPoint SAML Correlation Rule is configured within SailPoint IIQ. You need to make sure that the SailPoint Correlation Rule matches the type of identity inserted into the SAML assertion by PingFederate.
The Consumer Assertion Service (ACS) URL for IIQ can be set to the landing page of your IIQ instance. As seen in my previous blog post, this would be the value https://youriiq-server.your-domainname.com:8080/identityiq/home.jsf. In the following screen snapshot you will see that the SSO Binding is configured as HTTP-POST for the ACS URL.
And lastly, the digitial signing certificate for the SAML assertion is configured for the SP Connection. It is common practice to use an unanchored certificate and then provide the public key to the SailPoint administrator configuring SSO for IIQ. The SailPoint administrator for IIQ will import the certificate.
I hope you found this article helpful to assist with tips to integrate SailPoint with PingFererate as the IdP. If you have comments or questions, please contact us!
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
Set by Google to distinguish users.
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.