I am typing this up as a SailPoint customer who is an Administrator and Implementer for my company - not a PingFederate Admin - but I wanted to put an article online to help people work though some troubleshooting issues we ran into regarding Idp-Initiated and sp-initiated SSO. Up to this point, everything that I have found in the community has been fragmented and it took me reading between the lines to understand what I was missing in my configuration in SailPoint.
Issues we encountered:
- Initially after SAML configuration with ping federation and SailPoint, the Ping Federate would authenticate and immediately the default SailPoint Login screen would appear.
- Cause: Public X.509 Certificate requires the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' which we were missing. Also line breaks do not affect the certificate use so no need to spend the time removing them.
- We were able to federate using the idp-initiated url but not with an sp-initiated url
- To understand idp vs sp initiated url's see Ping Federation documentation but a quick example of each...
- idp-initated example: https://federationlogin.example.com/idp/startSSO.ping?PartnerSpId=https://identityiq.example.com/&Ta...
- sp-initiated example: https://identityiq.example.com/dashboard.jsf
- Cause: In the 'Identity Provider SSO Service URL' under the SAML Based SSO for the Login Configuration the URL requires a 'PartnerSpId' parameter to be effective with the sp-initiation and federation. See the before and after 'Identity Provider SSO Service URL' value examples...
- Before Example (did not work): https://federationlogin.example.com/idp/startSSO.ping
- After Eample (worked for both idp and sp initiated requests): https://federationlogin.example.com/idp/startSSO.ping?PartnerSpId=http://identityiq.example.com/
- To understand idp vs sp initiated url's see Ping Federation documentation but a quick example of each...
SAML Based SSO Config Example Values
- Entity ID (Issuer): example:federation:saml2
- Identity Provider SSO Service URL: https://federationlogin.example.com/idp/startSSO.ping?PartnerSpId=http://identityiq.example.com/
- SAML URL (Assertion Consumer Service): https://identityiq.example.com/dashboard.jsf
- Binding Method: HTTP POST
- NamedID Format: unspecified
- Public X.509 Certificate: -----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----
- SAML Correlation Rule: Custom Correlation Rule based off the default IdentityNowSAML
| // Imports |
import sailpoint.object.Identity;
String logName = "example.SSO";
| log(logName, "***Entering rule exampleSAML...", LOG_ERROR); | |||
// Get the nameId from the assertionAttributes
String nameId = (String)assertionAttributes.get("uniqueid");
log(logName, "UniqueId from SAML assertion is: " + nameId, LOG_ERROR);
Identity ident;
if(nameId != null) {
// Lookup the identity based on nameId
ident = context.getObjectByName(Identity.class, nameId);
| log(logName, "Identity found: " + ident.getDisplayName() + ". Returning...", LOG_ERROR); |
}
| else { | ||||
| log(logName, "No name id, did not match identity.", LOG_ERROR); | ||||
| } |
return ident;
![2015-08-14 09-52-40_[482] Login Configuration [482].png](/legacyfs/online/sailpoint/16621_2015-08-14 09-52-40_[482] Login Configuration [482].png)
I hope this helps with configuring SAML and PingFederation.
