Configure PingFederate to Redirect User Login Requests to your IdP
In the service provider configuration, configure identity provider (IdP) connections for PingFederate. For third-party IdPs, PingFederate acts as the service provider.
In this process, you must also do the following:
• Configure the application layer encryption certificate for the service provider. For more information, see Configuring the SSL Certificate for Application Layer Encryption and Signing.
• Export the service provider metadata file.
• Import the metadata file from the IdP.
In the SSO architecture that PTC tested and recommends, PingFederate should be configured to redirect user authentication requests to an enterprise directory service (third-party identity providers (IdP)). This reduces the nodes within the SSO architecture that need to handle user login credentials because the browser is redirected to authenticate with your IdP. To configure PingFederate as a federation hub, you must create at least two connections in PingFederate:
• Create an IdP connection under the service provider configuration in PingFederate. PingFederate uses this connection to connect with your IdP.
• Create a service provider connection under the IdP configuration in PingFederate. PingFederate uses this connection to connect with the service provider.
For more information, see the following topics in the PingFederate documentation:
• “Service provider SSO configuration”
• “Bridging an IdP to an SP”
• “Federation hub and authentication policy contracts”
 |
Use the Browser SSO Profiles connection template only to configure the SSO connection. You must not create SP adapters for SSO connections.
|
User provisioning is an advanced configuration upon the SSO set up of PingFederate. User provisioning depends on the choice of IdP a customer selects. It works differently with each IdP. For more details about user provisioning, see Provisioning in the ThingWorx Help Center.
Authentication Policy Contract
Additionally, you will need to create an authentication policy contract in PingFederate that creates a bridge between the service provider connection and the IdP connection. The authentication policy contract is used to specify what user attributes should be retrieved from your IdP and passed through to the service provider application. Refer to your IdP’s documentation for any attributes that are required.
When configuring SSO for PTC products, the following attributes are required for user authentication and must be exposed in the IdP and mapped in your authentication policy contract:
• uid
• subject
• email
• group
For example, you can enter following values for Active Directory Federation Services (ADFS). However, mapping can be different according to the choice of IdP. You must determine the mapping based on your requirements.
|
Attribute
|
Value
|
|---|---|
|
subject
|
SAML_SUBJECT (Assertion)
|
|
uid
|
http://schemas.xmlsoap.org/ws/2005/05/Identity/claims/name (Assertion)
|
|
email
|
http://schemas.xmlsoap.org/claims/EmailAddress (Assertion)
|
|
group
|
http://schemas.xmlsoap.org/claims/Group (Assertion)
|
To implement an authentication policy contract, do the following:
1. Log in to the PingFederate admin console as an administrator.
2. On the SP Configuration menu, in the AUTHENTICATION POLICIES section, click Policy Contracts.
3. On the Authentication Policy Contracts page, click Create New Contract.
4. Add the required attributes (based on those required by PTC as listed earlier, and those required by your IdP) and click Done.
5. Use this policy contract when setting up your IdP connection to your enterprise directory service.
 |
After you have created your IdP connection, you can confirm which attributes are being exchanged by reviewing the Contract Fulfillment section of the Activation & Summary tab of your IdP connection.
|