# PingFederate
This document describes the procedure for integrating PingFederate Single Sign-On (SSO) with the OvalEdge application. The integration leverages Active Directory (AD) for authentication, ensuring centralized identity management and secure access to OvalEdge.
The process covers:
* Active Directory data store configuration in PingFederate
* Password Credential Validator (PCV) setup
* Identity Provider (IdP) adaptor configuration
* SAML Entity ID setup
* Service Provider (SP) connection configuration for OvalEdge
* Metadata exchange and application-level configuration
This guide is intended for System Administrators, DevOps Engineers, and Identity Management specialists who manage enterprise SSO integrations.
## Prerequisites
Before starting the integration, ensure the following:
* Infrastructure
* Access to PingFederate server with administrative credentials
* Access to the OvalEdge application server (Linux or Windows)
* Active Directory (AD) environment with valid user accounts
* System Requirements
* PingFederate configured and accessible
* Tomcat running OvalEdge application
* Network connectivity between PingFederate, OvalEdge, and AD servers
* Files and Configurations
* Ability to update oasis.properties and setenv.sh (Linux) or tomcat9w\.exe (Windows)
* Export/import permissions for SAML metadata on PingFederate and OvalEdge
## Integration Procedure
### Active Directory Data Store Creation
* Log in to **PingFederate** with administrator credentials.
* Navigate to:
```
System > Data Stores > Add New Data Store
```
* Provide the following:
* **Name:** Any descriptive name
* **Type:** Directory (LDAP)
* Enter the Active Directory details:
* **Hostname:** ``
* **User DN:** `CN=Administrator,CN=Users,DC=,DC=`
* **Password:** AD administrator password
* Click **Next**, review details, and **save**.
### Password Credential Validator (PCV) Creation
* Navigate to:
```
System > Password Credential Validators
```
* Click **Create New Instance**.
* Provide:
* **Instance Name / ID:** Any name
* **Type:** LDAP Username Password Credential Validator
* In **Instance Configuration**, enter:
* **LDAP Datastore:** Select the datastore created in Step 1
* **Search Base:** Distinguished Name (DN) of the AD root
* **Search Filter:**
```
sAMAccountName=${username}
```
* In the **Extended Contract**, add `memberOf`.
* Review and save the validator.
### IdP Adaptor Creation
* Navigate to:
```
Authentication > IdP Adaptors
```
* Click **Create New Instance**.
* Enter:
* **Instance Name / ID:** Any name
* **Type:** HTML Form IdP Adaptor
* Under **Adaptor Settings**, link the AD datastore created earlier.
* In the **Extended Contract**, add attributes:
* Name
* Email
* firstName
* lastName
* In the **Adaptor Attribute section**, enter the highlighted details and then click **Next**.
* In the **Adaptor Contract Mapping tab**, click **Configure Adaptor Contract**.
* Click **Add Attribute Sources**. Fill in the details:
* **Attribute Source ID:** Any name of your choice
* **Attribute Source Description:** Any description
* **Active Data Store:** Select the Active Directory created in the datastore section
* Enter the filter details as shown, then click **Next**.
* Review the changes and click **Done**.
* Click **Adaptor Contract Fulfillment** → enter details → **Next**.
* Continue clicking **Next** and then **Save**.
### Entity ID Configuration
* Navigate to **System > Server.**
* Enter a **SAML 2.0 Entity ID** (any valid URL).
* Proceed through the wizard and save the configuration.
### Service Provider (SP) Connection (OvalEdge Application)
* Navigate to **Applications > SP Connections** in PingFederate.
* Click **Create Connection**.
* Select **Do not use a template** and click **Next**.
* Choose **Browser SSO** as the connection type.
* In the Import Metadata URL, select **None** and click **Next**.
* In **General Info**, enter:
* **Partner’s Entity ID**: `https:///saml/metadata`
* **Connection Name**: `https:///saml/metadata`
* **Base URL**: `https://` (OvalEdge application URL)
Here, https://<IP-or-DNS> is an OvalEdge application URL.
* Click **Browser SSO**.
* Enable both **IdP-Initiated** and **SP-Initiated SSO.**
* In Assertion-Lifetime, click **Next**.
* Click **Configure Assertions Creation** and then click **Next**.
* Select the **STANDARD** checkbox and click **Next**.
* Add/Edit the attributes and click **Next**.
* Click **Map New adaptor Instance**.
* Select the **Adaptor Name** that we created in the Adaptor instance creation section and click **Next**.
* Select the checkbox and click **Next**.
* In **Attribute Contract Fulfillment**, enter the details below and click **Next**.
**Configure role expressions (example):**
```java
#groupCnOnly = new java.util.ArrayList(),
#groups = #this.get("roles")!=null ? #this.get("roles").getValues() : {},
#groups.{
#group = #this,
#group = new javax.naming.ldap.LdapName(#group),
#cn = #group.getRdn(#group.size() - 1).getValue().toString(),
#groupCnOnly.add(#cn)
},
#this.get("roles")!=null ? new org.sourceid.saml20.adapter.attribute.AttributeValue(#groupCnOnly) : null
```
* In the **Issuance Criteria**, click **Next**.
* Review the Summary and click **Next**.
* Review the Assertion Configuration, and click on **Next**.
* **Configure Protocol Settings:**
* **Endpoint URL**: `https:///saml/SSO`
* Select the highlighted checkbox and click **Next**.
* In the **signature policy**, enable the **SIGN RESPONSE AS REQUIRED** checkbox and click on **Next**.
* In the **Encryption policy**, click **Next**.
* In **summary**, review the changes and click **Done**.
* In the **Protocol Settings,** click **Next,** and **Done**.
* In the **Browser SSO** tab, click **Next**.
* In the **Credentials** tab, click **Configure Credentials**.
* Click **Manage Certificates**.
* Click **Create New**.
* Add the following details and click **Next**.
* Review the changes, and click **Done**.
* In the **Digital Signature Settings**, click **Next,** and **Done**.
* Review the page and click **Done**.
* The **Connection Name and Connection ID** are displayed.
* Click **Select Action** and **Export Metadata,** as shown below.
### OvalEdge Application Configuration
* Place the `metadata.xml` file (exported) in the OvalEdge application server directory.
* Update `oasis.properties` to reference the metadata file path.
* Configure Tomcat environment variable:
* **Linux**: Edit `setenv.sh` and add:
```bash
-DOVALEDGE_SECURITY_TYPE=saml
```
* **Windows**: Run:
```bash
tomcat9w.exe //ES/tomcat1
```
and add:
```bash
-DOVALEDGE_SECURITY_TYPE=saml
```
* Now log in to the OvalEdge application, click **Continue with SSO**, and log in with your Ping credentials.
### Update OvalEdge system settings
* Navigate to **System Settings > SSO**
* Set:
```properties
ovaledge.extauth.authtype = REMOTE
```
*(default is HYBRID)*
* Now connect to the application server (Windows or Linux), create a folder with any name, and paste the `metadata.xml` (step 34) file into that folder.
* Copy the `metadata.xml` file path, paste it into the `oasis.properties` file as shown below, and save the file.
* Now, navigate to the Tomcat bin directory and configure `setenv.sh` (for Windows use `tomcat9w.exe`) file with:
```bash
-DOVALEDGE_SECURITY_TYPE=saml
```
* **Windows**:\
Navigate to the Tomcat bin folder, open the command prompt here, execute the command below, and make changes:
```bash
tomcat9w.exe //ES/tomcat1
```
\
\&#xNAN;*Sample Reference Screenshot:*