Configure PingFederate as an Identity Provider

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how to set up PingFederate as your identity provider by configuring SAML integration in both Pivotal Web Services (PWS) and PingFederate.

Set up SAML in PWS

  1. Log into the Single Sign-On (SSO) dashboard at as a Plan Administrator.
  2. Select your plan and choose Manage Identity Providers from the drop-down menu.

    Pingfederate manage id providers

  3. Click Configure SAML Service Provider.

    Pingfederate config saml service provider

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    Saml auth checkbox

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Set up SAML in PingFederate

Configure the Connection

  1. Sign in as a PingFederate administrator.

  2. Navigate to your identity provider configurations by clicking on the IDP Configuration tab.

  3. Under SP Connections, click the Create New button.

    Pingfederate create new sp

  4. Select the Browser SSO Profiles connection template on the Connection Type tab and click Next.

  5. Select Browser SSO on the Connection Options tab and click Next.

  6. Select File as the method for importing metadata and click Choose file to choose the SSO metadata on the Import Metadata tab. Click Next.

    Pingfederate import metadata

  7. Review the information on the Metadata Summary tab and click Next.

  8. Ensure that the Partner’s Entity ID, Connection Name, and Base URL fields pre-populate based on the metadata. Click Next.

    Pingfederate general info

Configure Browser SSO

  1. Click Configure Browser SSO on the Browser SSO tab.

  2. Select the IdP-Initiated SSO and SP-Initiated SSO options on the SAML Profiles tab and click Next.

    Pingfederate saml profiles

  3. Enter your desired assertion validity time from on the Assertion Lifetime tab and click Next.

  4. (Optional) Select IdP-Initiated SLO and SP-Initiated SLO options if you wish to enforce Single Logout.

Assertion Creation

  1. Click Configure Assertion Creation on the Assertion Creation tab.

  2. Choose the Standard option on the Identity Mapping tab and click Next.

  3. Select a Subject Name Format for the SAML_SUBJECT on the Attribute Contract tab and click Next.

    Pingfederate attribute contract

  4. Click Map New Adapter Instance on the Authentication Source Mapping tab.

  5. Select an Adapter Instance and click Next. The adapter must include the user’s email address.

    Pingfederate adapter instance

  6. Select the Use only the adapter contract values in the SAML assertion option on the Mapping Method tab and click Next.

    Pingfederate mapping method

  7. Select your adapter instance as the Source and the email as the Value on the Attribute Contract Fullfillment tab and click Next.

    Pingfederate attribute contract fullfillment

  8. (Optional) Select any authorization conditions you would like on the Issuance Criteria tab and click Next.

  9. Click Done on the Summary tab.

  10. Click Next on the Authentication Source Mapping tab.

  11. Click Done on the Summary tab.

  12. Click Next on the Assertion Creation tab.

Protocol Settings

  1. Click Configure Protocol Settings on the Protocol Settings tab.

  2. Select POST for Binding and specify the single sign-on endpoint url in the Endpoint URL field on the Assertion Consumer Service URL tab. Click Next

    Pingfederate service url

  3. Select POST on the Allowable SAML Bindings tab and click Next.

    Pingfederate saml bindings

  4. Select your desired signature policies for assertions on the Signature Policy tab and click Next.

  5. Select your desired encryption policy for assertions on the Encryption Policy tab and click Next.

  6. Click Done on the Protocol Settings Summary tab.

  7. Click Done on the Browser SSO Summary tab.

Configure Credentials

  1. Click Configure Credentials on the Credentials tab.

  2. Select the Signing Certificate to use with the Single Sign-On service and select Include the certificate in the signature element. Click Next.

    Pingfederate digital signature

  3. Click Done on the Summary tab.

  4. Click Next on the Credentials tab.

  5. Select Active for the Connection Status on the Activation & Summary tab and click Save.

  6. Click Manage All under SP Connections.

  7. Click Export Metadata for the desired service provider connection.

  8. Choose a Signing Certificate on the Metadata Signing tab and click Next.

  9. Click Export on the Export & Summary tab and click Done.