The following steps walk you through how to integrate the PingFederate Identity Provider (IdP) with Creative Force using SAML.
This guide is based on PingFederate version 12.0. Steps for other versions may vary. Please contact PingFederate support for more information on how to configure a SAML application for other versions of PingFederate.
You must prepare the below prerequisite before proceeding with the setup
A data store set up in PingFederate Server. This is where user attributes are stored.
An IdP digital signing certificate.
A configured IdP adapter.
It is important to note the below during setup that in the IdP Adapter configuration:
You will need to specify the attributes that will be included in the SAML assertions.
It is crucial to include the email address attribute in the IdP adapter configuration. This attribute is required by Creative Force for user identification and provisioning.
Note:
By default, PingFerate only supports SCIM 1.1 while Creative Force only supports SCIM 2.0. Learn more about API notes for SCIM here
Create a SAML App in PingFederate
Step 1: In the PingFederate administrative console, go to Applications > Integration > SP Connections.
Step 2: Click Create Connection.
Step 3: On the Connection Template tab, click Do not use a template for this connection. Click Next.
Step 4: On the Connection Type tab, select the Browser SSO Profiles check box.
Step 5: From the Protocol list, select SAML 2.0. Click Next.
Step 6: On the Connection Options tab, leave the Browser SSO check-box selected.
Step 7: Click Next.
Step 8: Leave Metadata URL set to NONE. Click Next.
Step 10: On the Browser SSO tab, click Configure Browser SSO.
Step 11: On the SAML Profiles tab, select the SP-Initiated SSO check boxes. Click Next.
Step 12: On the Assertion Lifetime tab, leave the default entries, and then click Next.
Step 13: On the Assertion Creation tab, click Configure Assertion Creation.
Step 14: On the Identity Mapping tab, click Standard. Click Next.
Step 15: On the Attribute Contract tab, ensure that the “email address” attribute is accurately mapped from your user directory or database. The attribute should contain the user's email address, which will be sent in the SAML assertion to Creative Force.
Extend Contract:
Attribute Statements | Attribute Name Format | Required? |
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | Yes | |
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | No | |
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | No |
Step 16: Click Next.
Step 17: On the Authentication Source Mapping tab, click Map New Adapter Instance.
Step 18: In the Adapter Instance section, choose the adapter that is connected to your data store. Click Next.
Step 19: On the Mapping Method tab continue with the default selection, and then click Next.
Step 20: In the Attribute Contract Fulfillment section, set the following mappings:
Step 21: Click Next.
Step 22: On the Issuance Criteria tab, click Next.
Step 23: On the Summary tab, review your entries, and then click Done.
Step 24: On the Authentication Source Mapping tab, click Next.
Step 25: On the Summary tab, review your entries, and then click Done.
Step 26: On the Assertion Creation tab, click Next.
Step 27: On the Protocol Settings tab, click Configure Protocol Settings.
Step 28: In the Assertion Consumer Service URL section, under Binding, select POST, and under the Endpoint URL, paste the SP URL (SP ASSERTION CONSUMER SERVICE URL) that you obtained from Creative Force, and click Add.
Step 29: Click Next.
Step 30: On the Allowable SAML Bindings tab, check only Post and Redirect options. Click Next.
Step 31: On the Signature Policy tab, click Always Sign Assertion. Click Next.
Step 32: On the Encryption Policy tab, click None. Click Next.
Step 33: On the Summary tab, review your entries, and then click Done.
Step 34: On the Protocol Settings tab, click Next.
Step 35: On the Summary tab, review your entries, and then click Done.
Step 36: On the Browser SSO tab, click Next.
Step 37: On the Credentials tab, click Configure Credentials.
Step 38: On the Digital Signature Settings tab, choose your signing certificate.
Step 39: Select Include the Certificate in the Signature <KeyInfo> Element check-box. Click Next.
Step 40: On the Summary tab, review your entries, and then click Done.
Step 41: On the Credentials tab, click Next.
Step 42: On the Activation & Summary tab, scroll to the bottom and click Save. You have completed creating the SAML app in PingFederate.
Step 43: Export Metadata. Use this metadata to fill in the SSO settings in Creative Force here.