PingFederate

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. Virtual Appliance uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

This document does not include instructions on how to connect your user management solution, e.g., LDAP domain, to PingFederate. Please refer to PingFederate’s documentation and complete those steps before following this documentation.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Configure Connection

To add and configure enterprise app properties for the Virtual Appliance connection do the following:

  1. Create PingFederate App.
  2. Add IdP Template.
  3. Set Up SSO Connection.
  4. Configure Assertion Creation.
  5. Map Adapter and Attributes.
  6. Define Protocol Settings.
  7. Select the Certificate.
  8. Add the X-509 Certificate.
  9. Apply Issuer URL.
  10. JIT Provisioning.
  11. Add Virtual Appliance Admins.

1. Create PingFederate App

  1. Log into your PingFederate Admin Portal.
  2. Select Applications.
  3. Select SP Connections.
  4. Select the Create Connection button.
  5. On the Connection Template tab select DO NOT USE A TEMPLATE FOR THIS CONNECTION, then select Next.
  6. On the Connection Type tab select BROWSER SSO PROFILES.
  7. In the PROTOCOL drop-down that appears, select SAML 2.0, then select Next.
  8. On the Connection Options tab select BROWSER SSO, then select Next.
  9. On the Import Metadata tab select None, then select Next.

Applications window showing the SP Connection highlighted in the upper left.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

  1. In a separate browser tab, open your Virtual Appliance Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template dropdown.
  5. Select SAML2 in the Authentication Protocol section and in the Provisioning section select JIT.
    1. The PingFederate configuration does not support SCIM Provisioning.
  6. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  7. Scroll down and select the desired Enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.
  8. Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings pop-up with an arrow pointing to the Name field near the top.

3. Set Up SSO Connection

  1. Copy the Virtual Appliance Admin Console Identifier (Entity Id) and paste it in the PingFederate General tab's PARTNER’S ENTITY ID (CONNECTION ID) field.
  2. In the CONNECTION NAME field, enter an appropriate/descriptive name for your application (This is the name used on the SP Connections page in PingFederate to identify this application).
  3. In the BASE URL field enter https://gw.<your_va_FQDN>.
  4. In the APPLICATION NAME field, enter the same name you used in the CONNECTION NAME field above.

    All additional fields here are optional. Enter data as needed.
  5. Select Next.
  6. On the BROWSER SSO tab select Configure Browser SSO.
  7. Select the IDP-INITIATED SSO and SP-INITIATED SSO options.
  8. Leave the Single Logout (SLO) Profiles options unchecked, then select Next.
  9. Modify the MINUTES BEFORE and MINUTES AFTER values as needed, then select Next.

4. Configure Assertion Creation

  1. Select Configure Assertion Creation.
  2. On the Identity Mapping tab select STANDARD, then select Next.
  3. Under Subject Name Format select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (this value should already be selected by default).
  4. Under Extend the Contract add new entries for the following attributes:
    1. Extend the Contract: FirstName, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, then select Add.
    2. Extend the Contract: LastName, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, then select Add.
    3. Extend the Contract: Email, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, then select Add.
    4. Extend the Contract: Login, Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, then select Add.
  5. Select Next.

Assertion Creation window with the four added entries highlighted along with the Edit and Delete options on the right.

5. Map Adapter and Attributes

  1. Select Map New Adapter Instance.
  2. In the ADAPTER INSTANCE drop-down select PingOne HTML Form Adapter, then select Next.
  3. On the Mapping Method tab, select USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION, then select Next.
  4. On the Attribute Contract Fulfillment tab select the following:
    1. Attribute Contract: Email, Source: Adapter, Value: mail
    2. Attribute Contract: FirstName, Source: Adapter, Value: givenName
    3. Attribute Contract: LastName, Source: Adapter, Value: sn
    4. Attribute Contract: Login, Source: Adapter, Value: username
    5. Attribute Contract: SAML_SUBJECT, Source: Adapter, Value: username
  5. Select Next.
  6. The Issuance Criteria tab is optional. Configure as needed, then select Next.
  7. Select Done on the Summary page.
  8. Select Next on the Authentication Source Mapping page.
  9. On the Summary tab select Done.
  10. Select Next on the Assertion Creation page.

IdP Attribute Mappings window showing the five entries added to the tab.

6. Define Protocol Settings

  1. In the Protocol Settings tab select Configure Protocol Settings.
  2. Under the Action column select Add.

    When using the provided URLs in the next step, please note that they will be effective as is unless you've customized the name of your Virtual Appliance database. In the URL, 'app_pi' is the default identifier for the Virtual Appliance database, with 'app' being the default name. If you've modified this in your setup, substitute 'app' with the specific custom name you've assigned. For example, if your database name is'printerlogic,' you would modify 'app_pi' to read 'printerlogic_pi' instead.

  3. Copy and paste the following URL into the Endpoint URL field, replacing the <your_va_FQDN> with your Virtual Appliance FQDN, and <idp_id> with the IdP Identifier found in your Admin Console IdP Settings modal:

    Copy Code
    /app_pi/authn/idp/<idp_id>/saml2/acs?&RelayState=https%3A%2F%2F<your_va_FQDN>%2Fasserted-login%3Fidp%<idp_id>
  4. In the Binding drop-down select Post, then select Add, then select Next.
  5. Uncheck ARTIFACT and SOAP. You only need POST and REDIRECT checked, then select Next.
  6. On the Signature Policy tab select Next.
  7. On the Encryption Policy tab select NONE, then select Next.
  8. On the Summary tab select Done.
  9. On the Protocol Settings tab, select Next.
  10. On the Summary tab select Done.

7. Select the Certificate

  1. On the Browser SSO tab select Next.
  2. On the Credentials tab select Configure Credentials.
  3. In the SIGNING CERTIFICATE drop-down, select your certificate.
  4. Check INCLUDE THE CERTIFICATE IN THE SIGNATURE <KEYINFO> ELEMENT.
  5. Select Next.
  6. On the Summary tab select Done.
  7. On the SP Connections summary page copy the SSO Application Endpoint URL and paste it into the Virtual Appliance SSO URL field.

SP Connections window with the Configure Credentials option in the left middle.

8. Add the X-509 Certificate

  1. Back in the PingFederate portal, scroll down to the Credentials section and select on Digital Signature Settings.
  2. Select Manage Certificates.
  3. Select Select Action then Export.
  4. Select CERTIFICATE ONLY, then select Next.
  5. Select Export.
  6. Open the .crt file in a text editor, copy the certificate values including the Begin / End Certificate headers, then paste it into the Admin Console X-509 Certificate field.

    SAML Certificate opened in Notepad, showing the body of the content highlighted, excluding the being and end certificate lines.

  7. Back in the PingFederate portal, select Done.
  8. On the Certificate Management tab select Done again.
  9. On the Summary tab select Save.

Certificate Management window showing the certificate and an arrow is pointing to the Select Action drop-down in the middle right.

9. Apply Issuer URL

  1. In the top menu select SYSTEM.
  2. On the left menu select Server.
  3. Copy the value in the SAML 2.0 ENTITY ID field and paste it into the Virtual Appliance Admin Console Issuer URL field.

    The PingFederate configuration does not use an Issuer ID, leave this field blank.

  4. Select Apply in the Admin Console.
  5. Select Save in the Admin Console.

Shortcuts window showing the Server option highlighted in the left-side menu near the top.

10. JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your Virtual Appliance instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.
  3. This login attempt will fail and return you to the login page.

    This is expected. With JIT, this action triggers the user creation in the instance.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users.

11. Add Virtual Appliance Admins

For steps on assigning users and roles to the Virtual Appliance Admin Console reference Admin Console Users.