Creating a Service Provider Connection

PTC Arbortext Content Delivery Deployment > Single sign-on > Configuring the Central Authentication Server > Creating a Service Provider Connection

The service provider (SP) connection is used for SAML authentication. PTC Arbortext Content Delivery directs user sign in requests to PingFederate. For PTC Arbortext Content Delivery, you must create a separate SP connection for each applications such as the Configurator, Task Manager, and the PTC Arbortext Content Delivery application.

You can copy the existing SP connection created by a script for PTC Arbortext Content Delivery application to configure the Task Manager and Configurator applications on PingFederate. To copy from Existing SP Connection,

1. On the IDP Configuration page, select SP Connections and click Manage All.

2. In the Actions list, select Copy.

3. Update Partner’s Entity Id, Connection Name, and Base URL according to the application for which you are configuring.

4. Click Save.

Create a new SP connection as follows:

1. On the IDP Configuration page, select SP Connections and click Create New.

2. In the Connection Type section, select Browser SSO Profiles to specify the SAML 2.0 protocol.

3. In the Connection Options section, select Browser SSO.

4. In the General Information section, perform the following steps:

a. Set Partner’s Entity ID (Connection ID) to a unique value. Usually this is the default value which is configured using the Configurator.

b. Provide a descriptive name for the Connection Name field. This is the name that is displayed in the SP Connection list.

c. Set the base URL to the URL where your web application (ACD) service provider is hosted.

5. In the Protocol Settings section, set the Assertion Consumer Service URL Endpoint to URL/ACD/saml/SSO.

6. In the Credentials section, set Digital Signature Settings to Selected Certificate.

7. In the Signature Verification section, add a certificate for:

◦ Signature Verification Certificate: Selected Certificate

◦ Signature Verification Certificate: Selected Encryption Certificate

◦ Select XML Encryption Certificate: Selected Encryption Certificate

8. Confirm that the new service provider is active. View the service provider connection. A radio button indicator at the top of the Activation & Summary page should be set to Active.

9. Click Save.

PingFederate uses a mechanism called a policy contract to bridge connections between service providers and the identity provider that PingFederate relies on. You must create such a policy contract for this service provider connection. When you do so, list any attributes that should be exchanged in the SAML assertions. For more information, see Authentication Policy Contract.

SAML Provisioning

If you enable Single Sign-On (SSO) authentication, SAML provisioning is automatically enabled. User attributes are included in and retrieved through SAML assertions from the authorization server (PingFederate) that acts as the broker between PTC Arbortext Content Delivery application and the identity provider. This is considered “just-in-time” provisioning, because user accounts are created (if they don’t already exist in PTC Arbortext Content Delivery application) and updated when a user signs in to PTC Arbortext Content Delivery application.

Work with the IdP administrator to understand the user, and to ensure that the user account in PTC Arbortext Content Delivery application is updated during the sign in. By default, PTC Arbortext Content Delivery application only uses the username attribute to create the user. Any additional attributes that you want consumed must be configured in the authorization server, so that they are passed in the SAML assertion, and then mapped to the user extension properties. Additional configurations are required to manage the provisioning settings used with this method.

Updating IdP Metadata in the Service Provider

For updating IdP metadata in the SP,

1. Export the IdP metadata specific to the SP Connection for PTC Arbortext Content Delivery application.

2. Browse to Export Metadata > Select Signing Certificate and select the check box to include certificate’s public key in the element.

3. Click Next and then click Export.

4. Name it as openam-idp.xml

5. Save it in the WAR file.

For WAR file details see Application. Details about this file are stored in the securityContext.properties file under the following properties:

# IDP settings

org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider.metadataFile=WEB-INF/security/config/openam-idp.xml

You can either use the default ones created while configuring through Configurator or manually update the values. See the Advanced configuration section for retaining the updates properties.