PingFederate

This document describes the procedure for integrating PingFederate Single Sign-On (SSO) with the OvalEdge application. The integration leverages Active Directory (AD) for authentication, ensuring centralized identity management and secure access to OvalEdge.

The process covers:

Active Directory data store configuration in PingFederate
Password Credential Validator (PCV) setup
Identity Provider (IdP) adaptor configuration
SAML Entity ID setup
Service Provider (SP) connection configuration for OvalEdge
Metadata exchange and application-level configuration

This guide is intended for System Administrators, DevOps Engineers, and Identity Management specialists who manage enterprise SSO integrations.

Prerequisites

Before starting the integration, ensure the following:

Infrastructure
- Access to PingFederate server with administrative credentials
- Access to the OvalEdge application server (Linux or Windows)
- Active Directory (AD) environment with valid user accounts
System Requirements
- PingFederate configured and accessible
- Tomcat running OvalEdge application
- Network connectivity between PingFederate, OvalEdge, and AD servers
Files and Configurations
- Ability to update oasis.properties and setenv.sh (Linux) or tomcat9w.exe (Windows)
- Export/import permissions for SAML metadata on PingFederate and OvalEdge

Integration Procedure

Active Directory Data Store Creation

Navigate to:

System > Data Stores > Add New Data Store

Provide the following:
- Name: Any descriptive name
- Type: Directory (LDAP)
Enter the Active Directory details:
- Hostname: <AD Server hostname or IP>
- User DN: CN=Administrator,CN=Users,DC=<domain>,DC=<tld>
- Password: AD administrator password
Click Next, review details, and save.

Password Credential Validator (PCV) Creation

Navigate to:
```
System > Password Credential Validators
```
Click Create New Instance.
Provide:
- Instance Name / ID: Any name
- Type: LDAP Username Password Credential Validator
In Instance Configuration, enter:
- LDAP Datastore: Select the datastore created in Step 1
- Search Base: Distinguished Name (DN) of the AD root
- Search Filter:
  sAMAccountName=${username}
In the Extended Contract, add memberOf.
Review and save the validator.

IdP Adaptor Creation

Navigate to:
```
Authentication > IdP Adaptors
```
Click Create New Instance.
Enter:
- Instance Name / ID: Any name
- Type: HTML Form IdP Adaptor
Under Adaptor Settings, link the AD datastore created earlier.
In the Extended Contract, add attributes:
- Name
- Email
- firstName
- lastName
In the Adaptor Attribute section, enter the highlighted details and then click Next.
In the Adaptor Contract Mapping tab, click Configure Adaptor Contract.
Click Add Attribute Sources. Fill in the details:
- Attribute Source ID: Any name of your choice
- Attribute Source Description: Any description
- Active Data Store: Select the Active Directory created in the datastore section
Enter the filter details as shown, then click Next.
Review the changes and click Done.
Click Adaptor Contract Fulfillment → enter details → Next.
Continue clicking Next and then Save.

Entity ID Configuration

Navigate to System > Server.
Enter a SAML 2.0 Entity ID (any valid URL).
Proceed through the wizard and save the configuration.

Service Provider (SP) Connection (OvalEdge Application)

Navigate to Applications > SP Connections in PingFederate.
Click Create Connection.
Select Do not use a template and click Next.
Choose Browser SSO as the connection type.
In the Import Metadata URL, select None and click Next.
In General Info, enter:
- Partner’s Entity ID: https://<IP-or-DNS>/saml/metadata
- Connection Name: https://<IP-or-DNS>/saml/metadata
- Base URL: https://<IP-or-DNS> (OvalEdge application URL)
Here, https://<IP-or-DNS> is an OvalEdge application URL.
Click Browser SSO.
Enable both IdP-Initiated and SP-Initiated SSO.
In Assertion-Lifetime, click Next.
Click Configure Assertions Creation and then click Next.
Select the STANDARD checkbox and click Next.
Add/Edit the attributes and click Next.
Click Map New adaptor Instance.
Select the Adaptor Name that we created in the Adaptor instance creation section and click Next.
Select the checkbox and click Next.

In Attribute Contract Fulfillment, enter the details below and click Next.

Configure role expressions (example):

#groupCnOnly = new java.util.ArrayList(),
#groups = #this.get("roles")!=null ? #this.get("roles").getValues() : {},
#groups.{
  #group = #this,
  #group = new javax.naming.ldap.LdapName(#group),
  #cn = #group.getRdn(#group.size() - 1).getValue().toString(),
  #groupCnOnly.add(#cn)
},
#this.get("roles")!=null ? new org.sourceid.saml20.adapter.attribute.AttributeValue(#groupCnOnly) : null

In the Issuance Criteria, click Next.
Review the Summary and click Next.
Review the Assertion Configuration, and click on Next.
Configure Protocol Settings:
- Endpoint URL: https://<IP-or-DNS>/saml/SSO
Select the highlighted checkbox and click Next.
In the signature policy, enable the SIGN RESPONSE AS REQUIRED checkbox and click on Next.
In the Encryption policy, click Next.
In summary, review the changes and click Done.
In the Protocol Settings, click Next, and Done.
In the Browser SSO tab, click Next.
In the Credentials tab, click Configure Credentials.
Click Manage Certificates.
Click Create New.
Add the following details and click Next.
Review the changes, and click Done.
In the Digital Signature Settings, click Next, and Done.
Review the page and click Done.
The Connection Name and Connection ID are displayed.
Click Select Action and Export Metadata, as shown below.

OvalEdge Application Configuration

Place the metadata.xml file (exported) in the OvalEdge application server directory.
Update oasis.properties to reference the metadata file path.
Configure Tomcat environment variable:
- Linux: Edit setenv.sh and add:
  -DOVALEDGE_SECURITY_TYPE=saml
- Windows: Run:
  tomcat9w.exe //ES/tomcat1
  and add:
  -DOVALEDGE_SECURITY_TYPE=saml
Now log in to the OvalEdge application, click Continue with SSO, and log in with your Ping credentials.

Update OvalEdge system settings

Navigate to System Settings > SSO
Set:
```
ovaledge.extauth.authtype = REMOTE
```
(default is HYBRID)
Now connect to the application server (Windows or Linux), create a folder with any name, and paste the metadata.xml (step 34) file into that folder.
Copy the metadata.xml file path, paste it into the oasis.properties file as shown below, and save the file.
Now, navigate to the Tomcat bin directory and configure setenv.sh (for Windows use tomcat9w.exe) file with:
```
-DOVALEDGE_SECURITY_TYPE=saml
```
- Windows: Navigate to the Tomcat bin folder, open the command prompt here, execute the command below, and make changes:
  tomcat9w.exe //ES/tomcat1
  Sample Reference Screenshot:
  Here tomcat1 is the Tomcat service name.
- Linux: Now navigate to the Tomcat bin path and edit setenv.sh. In -DOVALEDGE_SECURITY_TYPE=saml, add saml, as shown below:
  -DOVALEDGE_SECURITY_TYPE=saml
  Sample Reference Screenshot:
Now restart Tomcat services and check the application after 5 minutes, as shown below. Now, you can log in to the application with AD users.

Validation

Verify that users from AD can log in to OvalEdge via SSO.
Check that user attributes (Name, Email, Groups) are correctly mapped.
Confirm that role-based access is applied according to AD group membership.

Rollback Instructions

If login fails after enabling SSO:
- Revert:
  ovaledge.extauth.authtype = HYBRID
- Remove or comment out the:
  -DOVALEDGE_SECURITY_TYPE=saml
  parameter in Tomcat.
- Restart Tomcat services.

PreviousOneLogin NextJumpCloud

Last updated 2 months ago

Was this helpful?