Integrating Trusona with Ping Federate

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Ping Federate.

By Nikolas Mangu-Thitu
Updated Sep 22, 2020

• 1. Navigate the dashboard
• 2. Create a new integration
• 3. Input Data Requested
• 4. System Protocols
• 5. Service Provider IDP Connection
• 6. Service Provider Selector
• 7. Authentication Policy Contract
• 8. Identity Provider Adapter
• 9. Authentication Policies: Selector Policy
• 10. Authentication Policies: Adapter Policy
• 11. Ordering of Authentication Policies
• 12. Identity Provider SP Connection
• 13. Modified HTML Template
• 14. Modified Default Login
• 15. Custom Trusona Login

This guide was written using Ping Federate v9.3.1. This integration also works on Ping v8.4+, but the steps and screenshots described below will vary.

1. Navigate the dashboard

On the left-side of Trusona Integration Dashboard, click on the Ping Federate tab from the navigation menu.

Navigation Menu

2. Create a new integration

Click on the “Create Ping Federate Integration” button

Click on the Create button Menu

3. Input Data Requested

Enter values for Name, Email domain(s) & the Base URL of your Ping installation. Then click Save

Input Name and Consumer Assertion Service URL

Trusona will provide you with the Service Provider SAML metadata endpoint URL

You should now be able to see integration details that you will use in the proceeding steps.

4. System Protocols

To configure Trusona with Ping, your system will need to understand SAML 2.0. The following steps accomplish that.

1. Go to System → Protocol Settings → Roles & Protocols
2. Check the boxes alongside: ENABLE SERVICE PROVIDER (SP) ROLE AND SUPPORT THE FOLLOWING and SAML 2.0
3. Click on Save

System protocols

5. Service Provider IDP Connection

1. Go to the Service Provider tab
2. Under IDP Connections, click on Create New
3. Confirm that Browser SSO Profiles is selected. Click on Next
4. Only Browser SSO should be selected. Click on Next
5. For METADATA, select URL then → Manage Partner Metadata URLs → Add New URL
6. Follow the subsequent steps to successfully add and load the remote metadata by specifying the metadata URL provided to you
7. Click on Save then Next
8. Accept the default values, and click on Next
9. Click on Configure Browser SSO
10. Select the SP-INITIATED SSO checkbox then click on Next
11. Click on Configure User-Session Creation
12. Select NO MAPPING and click on Next
13. Accept the default values under Attribute Contract and click on Next, then click on Done
14. Click on Next
15. Click on Configure Protocol Settings
16. Accept the default values and click on Next
17. Under Allowable SAML Bindings only POST should be checked.
18. Click on Next
19. Accept the default values under Overrides
20. Click on Next
21. Under Signature Policy, select USE SAML-STANDARD SIGNATURE REQUIREMENTS and click on Next
22. Under Encryption Policy, select NONE and click on Next
23. Click through the subsequent screens, either the Done or Next buttons, and arrive at the Summary
24. Compare with the screenshot below, then click on Save

Service Provider IDP Connection Summary

Service Provider IDP Connection Summary, cont

6. Service Provider Selector

1. Go to Service Provider → Selectors
2. Click on Create New Instance
3. Provide memorable a Instance Name and Instance ID
4. For Type select HTTP Request Parameter Authentication Selector and click on Next
5. For HTTP REQUEST PARAMETER NAME specify trusona
6. Uncheck CASE-SENSITIVE MATCHING and click on Next
7. Enter 1 as a Result Value and click on Add, then click on Next
8. Compare with the screenshot below, click on Done, then click on Save

Trusona HTTP Request Selector

7. Authentication Policy Contract

Only do this if there are no existing Authentication Policy Contracts

1. Go to Service Provider → Policy Contracts
2. Click on Create New Contract
3. Specify a memorable Contract Name and click on Next
4. Accept the default values, and click on Next
5. Click on Done and then click on Save

Policy Contract Summary

8. Identity Provider Adapter

1. Go to Identity Provider → Adapters → Create New Instance
2. Specify an Instance Name and Instance ID
3. For the Type select HTML Form IdP Adapter
4. Do not select a Parent Instance then click on Next
5. Click on Add a new row to Credential Validators and select an existing Password Credential Validator
6. Click on Update
7. Make additional changes to the rest of the settings as necessary for your organization, and click on Next
8. Click on Next to accept the default Adapter Attributes
9. Check the box on the username attribute on the Pseudonym column and click on Next
10. Click on Done

IDP Summary

IDP Summary cont.

9. Authentication Policies: Selector Policy

1. Go to Service Provider → Policies → Add Policy
   • Optionally, you may update an existing Selector Policy
2. Select the Selector policy that was previously created.
3. Under 1 select the IDP connection that was previously created.
4. Select a FAIL Rule of Done
5. Select the previously created Policy Contract as Success

Selector policy

1. Click on Contract Mapping, then click on Next
2. On the Source column select the IDP connection that was previously created
3. On the Value column select SAML_SUBJECT
4. Click on Next
5. Click on Next

Selector policy cont.

1. Compare screenshots, then click on Done
2. Click on Done then click on Save

10. Authentication Policies: Adapter Policy

1. Go to Service Provider → Policies → Add Policy
   • Optionally, you may update an existing Adapter Policy
2. Select the IDP Adapter that was previously created.
3. Select a FAIL Rule of Done
4. Select the previously created Policy Contract as Success

Adapter policy

1. Click on Contract Mapping, then click on Next
2. On the Source column select the created IDP Adapter
3. On the Value column select username
4. Click on Next
5. Click on Next

Adapter policy cont.

1. Compare screenshots, then click on Done
2. Click on Done then click on Save

11. Ordering of Authentication Policies

The order of the authentication policies matters.

For the newly created policies, ensure that the Selector Policy is listed BEFORE the Adapter Policy.

Use the provided UI controls to make any necessary changes.

Policy ordering

12. Identity Provider SP Connection

1. Go to Identity Provider → SP Connections → Create New
2. Under Connection Template accept the default and click on Next
3. Click on Next
4. Under Connection Options check the Browser SSO box and click on Next
5. Select None under Import Metadata and click on Next
6. Specify memorable values for the required fields and click on Next
7. Click on Configure Browser SSO
8. Select IDP-INITIATED SSO and click on Next
9. Click on Next
10. Click on Configure Assertion Creation
11. Select the STANDARD Identity Mapping and click on Next
12. Click on Next
13. Click on Map New Authentication Policy
14. Select the previously created Authentication Policy Contract and click on Next
15. Select USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION and click on Next
16. Under the Source column select Authentication Policy Contract
17. Under the Value column select subject and click on Next
18. Click through the next set of screens, either Next or Done
19. Click on Configure Protocol Settings
20. Specify an Index value of 0
21. Select a Binding value of POST
22. Specify an Endpoint URL $PingBaseFederateURL/idp/startSSO.ping

    Replace $PingBaseFederateURL with the correct value for your deployment

23. Click on Add then click on Next
24. Click through the next series of screens and get to the Browser SSO Summary

IDP SP Connection

1. Compare screenshots and click on Done
2. Click on Next
3. Click on Configure Credentials
4. Complete the subsequent steps based on your Ping Federate deployment.
5. Compare screenshots and click on Save

IDP SP Connection cont.

13. Modified HTML Template

Your Ping Federate login template should be modified to include the “Login with Trusona” button.

Trusona provides a template that can replace the default html.form.login.template.html login template.

If you’re already using a custom template, you can add the “Login with Trusona” button to your existing template with the following HTML snippet:

<a onclick="location.replace(location.href + '&trusona=1')" title="Login With Trusona">Login With Trusona</a>

14. Modified Default Login

Modified default template

15. Custom Trusona Login

Trusona template

---