PingFederate as IdP for SailPoint IIQ

Do you have SailPoint IdentityIQ (IIQ) and PingFederate as part of your IAM product suite? PEGRight commonly encounters these products while consulting which is no surprise as these products are market leaders for IGA and SSO. A common integration is having the SailPoint console integrated with PingFederate as the Identity Provider (IdP). This blog post will show how to configure PingFederate as the IdP for SailPoint IIQ console.

In order to fully configure the PingFederate as the IdP for SailPoint IIQ console, you will need to configure SailPoint for SP-Initiated SSO, which is discussed in my previous post SailPoint IIQ SSO with Third Party IdP. The key pieces of information that drive the configuration are as follows:

  • Issuer Entity ID: This is the entity ID of the SailPoint IIQ server that is configured in the SSO settings
  • PingFederate IdP URL: This is the SAML SP-Initiated SSO federation endpoint configured within SailPoint IIQ, where the common format of the URL is: https://sso-server.yourdomain.com:9031/idp/SSO.saml2
  • SailPoint IIQ ACS URL: This is the Assertion Consumer Service enpoint that PingFederate uses to send the SAML assertion
  • SSO Binding: The most common is to use HTTP-POST binding
  • Digital Signing Certificate: The certificate within PingFederate for the SAML SP Connection used to sign the SAML assertion

The remainder of this article discusses how to configure the PingFederate IdP server, mainly the SP Connector for SailPoint. We will show the high level configuration and the key points when configuring the SP Connection in PingFederate. This post assumes that you have some experience with PingFederate and the configuration of a SP Connector as we will discuss the key points that make the SSO interface to SailPoint IIQ operate properly.

  1. When configuring the SP Connector in PingFederate, be sure to enter Partners Entity ID with the the Issuer Entity ID value from the SailPoint IIQ SSO configuration. From my previous blog post this would be the value youriiq-server.yourdomain.com.
  2. PingFederate is very dynamic as evidenced from number of IdP Adapters that can be used for authentication. A common integration is to use the HTML Form IdP adapter and a Password Credential Validator (PCV) configured for LDAP, mainly Active Directory (AD). The SP Connection would configure those components such that the SAML Attribute Fulfillment for SAML Subject would leverage the username returned from the HTML Form IdP Adapter. The key to the integration is the format of the username (e.g. sAMAccountName, email, etc) and how the SailPoint SAML Correlation Rule is configured within SailPoint IIQ. You need to make sure that the SailPoint Correlation Rule matches the type of identity inserted into the SAML assertion by PingFederate.
    PingFederate attribute Fulfillment
  3. The Consumer Assertion Service (ACS) URL for IIQ can be set to the landing page of your IIQ instance. As seen in my previous blog post, this would be the value https://youriiq-server.your-domainname.com:8080/identityiq/home.jsf. In the following screen snapshot you will see that the SSO Binding is configured as HTTP-POST for the ACS URL. PingFederate ACS URL
  4. And lastly, the digitial signing certificate for the SAML assertion is configured for the SP Connection. It is common practice to use an unanchored certificate and then provide the public key to the SailPoint administrator configuring SSO for IIQ. The SailPoint administrator for IIQ will import the certificate. PingFederate Digital Signing Certificate

I hope you found this article helpful to assist with tips to integrate SailPoint with PingFererate as the IdP. If you have comments or questions, please contact us!

Rate this blog entry:
2