Installing SSO using SAML for PingFederate implementations (HTTP required)
Pre-installation steps for SSO
Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO)
Collect configuration parameters
Determine the actual values for the following items; these will be used as replacement parameters during configuration.
Ensure that the SAML_Identity_Provider is in the Intranet zone of the end user's browser.
Parameter |
Description |
Enterprise_URI |
The domain identifier that you use for Changepoint, for example: |
Enterprise_Path |
The location of the web application files.Default: <cp_root>\Enterprise\ |
ReportDesigner_URI |
The domain identifier that you use for Report Designer, e.g.: |
ReportDesigner_Path |
The location of the Report Designer web application files. Default: <cp_root>\ReportDesigner\ |
Changepoint_RSA_ |
The name of the certificate that you use for Cookie encryption. Default: "CN=ChangepointCookieCertificate" |
Enterprise_Signing |
The name of the certificate that you use for signing messages.Default: "CN=ChangepointSigningCertificate" |
Enterprise_Signing |
The thumbprint of the certificate that you use for signing messages. Default: "78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5" |
SAML_Identity_Provider |
The SAML Identity Provider URI, for example:https://pingfederateserver/idp/SSO.saml2 |
SAML_Identity_Provider_Type |
The type of the SAML Identity Provider: PingFederate. |
SAML_Issuer |
The SAML Issuer required by the IDP Leave blank. |
SAML_Identity_Provider_Signing_Key |
This is the SAML Identity Provider Signing Key required by the IDP. Leave blank. |
ClaimType |
Enter the SSO Claim Type. Default: http://schemas.xmlsoap.org/ws/2005/05/ identity/claims/upn |
Create application
- In IIS, under Enterprise, convert the RP-STS_SAML folder to an application:
- Alias name: RP-STS_SAML
- Physical path: \<cp_root>\Enterprise\RP-STS_SAML
- Authentication: Anonymous and Forms Authentication
- Application pool: Application Pool
- Add Default.aspx to the Default Documents for the application.
Execute configuration scripts
- Using the information collected from stage 1 modify the configuration of the websites.
- Open a PowerShell prompt.
Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.
- Navigate to the configuration directory, default:
<cp_common>\Configuration\Enterprise
- Execute:
./Configuration_SSO_SAML.ps1
- Follow the prompts.
- Navigate to the Report Designer configuration directory, default:
<cp_common>\ReportDesigner\Configuration
- Execute:
./Configuration_SSO_SAML.ps1
- Follow the prompts.
Create relying party trust
Create the SP Connection (relying party trust) from the PingFederate Admin Console:
- Log in to the PingFederate Admin Console, e.g.
- In the SP Connections group, click Create New.
- Select Do not use a template for this connection, then click Next.
- Browser SSO Profiles > SAML 2.0 protocol, then click Next.
- Select Browser SSO, then click Next, Next.
- Enter Partner's Entity ID:
https://Enterprise_URI/RP-STS_SAML/
Replace Enterprise_URI with the domain identifier that you use for Changepoint.
- Enter Connection Name:
"RP-STS_SAML"
then click Next.
- Click Configure Browser SSO.
- Select SP-Initiated SSO, then click Next, Next.
- Select Configure Assertion Creation.
- Select Standard, then click Next.
- Select Subject Name Format:
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
then click Next.
- Select Map New Adapter Instance.
- Select the Adapter Instance (this is configured by the system administrator and not included in these instructions) e.g. "LDAPIdP", then click Next, Next.
- Select Source - "Adapter".
- Select Value - "username", then click Next, Done, Next, Done, Next.
Note: The value that you select depends on the Adapter that the system administrator has set up. Typically the value is Username or Subject.
- Select Configure Protocol Settings.
- Select Default - "default".
- Select Binding - "POST".
- Enter Endpoint URL.
https://Enterprise_URI/RP-STS_SAML/S...erService.aspx
then click Add.
Replace Enterprise_URI with the domain identifier that you use for .
- Click Next.
- Select "POST", then click Next.
- Select Always sign the SAML Assertion, then click Next.
- Select None, then Next, Done, Next, Done, Next.
- Select Configure Credentials.
- Select a certificate to digitally sign SAML messages or security tokens.
- Select Include the certificate in the signature <KeyInfo> element.
- Click Next, Done, Next.
- Select Connection Status - "Active".
- Click Save.
Encrypt messages from identity provider (optional)
- Determine the actual values for the following items, which will be used as replacement parameters during configuration:
Enterprise_EncryptingCertificate_Name: The certificate that you use for signing messages. Default: the "CN=ChangepointSigningCertificate" Certificate
- Modify \RP-STS_SAML\Web.config.
Replace Enterprise_EncryptingCertificate_Name with the actual value.
- Modify the SP Connection (Relying Party Trust) that you created earlier from the PingFederate Admin Console.
- Copy ChangepointSigningCertificate.cer from the configuration directory of to a local folder on the SAML Provider Server.
- Log in to the PingFederate Admin Console, e.g.,
- Select the SP Connection that you created earlier.
- Select Encryption Policy.
- Select The entire assertion, then click Done, Done, Save.
- Select "Configure Credentials".
- Select "Manage Certificates".
- Select "Import".
- Browse to the location of the certificate that you copied above, and then click Next.
- Select "Make this the active certificate" and click Done, Done, Done, Save.