Skip to main content
Planview Customer Success Center

Installing SSO using SAML for PingFederate implementations (HTTP required)

Pre-installation steps for SSO

Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO) 

Collect configuration parameters

Determine the actual values for the following items; these will be used as replacement parameters during configuration.

Ensure that the SAML_Identity_Provider is in the Intranet zone of the end user's browser.

Parameter

Description

Enterprise_URI

The domain identifier that you use for Changepoint, for example:

https://changepoint.abc.corp

Enterprise_Path

The location of the web application files.Default:

<cp_root>\Enterprise\

ReportDesigner_URI

The domain identifier that you use for Report Designer, e.g.:

https://reportdesigner.abc.corp

ReportDesigner_Path

The location of the Report Designer web application files.

Default: <cp_root>\ReportDesigner\

Changepoint_RSA_
Cookie_Transform

The name of the certificate that you use for Cookie encryption. Default:

"CN=ChangepointCookieCertificate"

Enterprise_Signing
Certificate_Name

The name of the certificate that you use for signing messages.Default:

"CN=ChangepointSigningCertificate"

Enterprise_Signing
Certificate_Thumbprint

The thumbprint of the certificate that you use for signing messages. Default:

"78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5"

SAML_Identity_Provider

The SAML Identity Provider URI, for example:https://pingfederateserver/idp/SSO.saml2

SAML_Identity_Provider_Type

The type of the SAML Identity Provider:

PingFederate.

SAML_Issuer

The SAML Issuer required by the IDP

Leave blank.

SAML_Identity_Provider_Signing_Key

This is the SAML Identity Provider Signing Key required by the IDP.

Leave blank.

ClaimType

Enter the SSO Claim Type. Default: http://schemas.xmlsoap.org/ws/2005/05/

identity/claims/upn

Create application

  1. In IIS, under Enterprise, convert the RP-STS_SAML folder to an application:
    • Alias name: RP-STS_SAML
    • Physical path: \<cp_root>\Enterprise\RP-STS_SAML
    • Authentication: Anonymous and Forms Authentication
    • Application pool: Application Pool
  2. Add Default.aspx to the Default Documents for the application.

Execute configuration scripts

  1. Using the information collected from stage 1 modify the configuration of the websites.
  2. Open a PowerShell prompt.

    Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.

  3. Navigate to the configuration directory, default:

    <cp_common>\Configuration\Enterprise

  4. Execute:

    ./Configuration_SSO_SAML.ps1

  5. Follow the prompts.
  6. Navigate to the Report Designer configuration directory, default:

    <cp_common>\ReportDesigner\Configuration

  7. Execute:

    ./Configuration_SSO_SAML.ps1

  8. Follow the prompts.

Create relying party trust

Create the SP Connection (relying party trust) from the PingFederate Admin Console:

  1. Log in to the PingFederate Admin Console, e.g.

    https://pingfederateserver/pingfederate/app

  2. In the SP Connections group, click Create New.
  3. Select Do not use a template for this connection, then click Next.
  4. Browser SSO Profiles > SAML 2.0 protocol, then click Next.
  5. Select Browser SSO, then click Next, Next.
  6. Enter Partner's Entity ID:

    https://Enterprise_URI/RP-STS_SAML/

    Replace Enterprise_URI with the domain identifier that you use for Changepoint.

  7. Enter Connection Name:

    "RP-STS_SAML"

    then click Next.

  8. Click Configure Browser SSO.
  9. Select SP-Initiated SSO, then click Next, Next.
  10. Select Configure Assertion Creation.
  11. Select Standard, then click Next.
  12. Select Subject Name Format:

    "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

    then click Next.

  13. Select Map New Adapter Instance.
  14. Select the Adapter Instance (this is configured by the system administrator and not included in these instructions) e.g. "LDAPIdP", then click Next, Next.
  15. Select Source - "Adapter".
  16. Select Value - "username", then click Next, Done, Next, Done, Next.

    Note: The value that you select depends on the Adapter that the system administrator has set up. Typically the value is Username or Subject.

  17. Select Configure Protocol Settings.
  18. Select Default - "default".
  19. Select Binding - "POST".
  20. Enter Endpoint URL.

    https://Enterprise_URI/RP-STS_SAML/S...erService.aspx

    then click Add.

    Replace Enterprise_URI with the domain identifier that you use for .

  21. Click Next.
  22. Select "POST", then click Next.
  23. Select Always sign the SAML Assertion, then click Next.
  24. Select None, then Next, Done, Next, Done, Next.
  25. Select Configure Credentials.
  26. Select a certificate to digitally sign SAML messages or security tokens.
  27. Select Include the certificate in the signature <KeyInfo> element.
  28. Click Next, Done, Next.
  29. Select Connection Status - "Active".
  30. Click Save.

Encrypt messages from identity provider (optional)

  1. Determine the actual values for the following items, which will be used as replacement parameters during configuration:

    Enterprise_EncryptingCertificate_Name: The certificate that you use for signing messages. Default: the "CN=ChangepointSigningCertificate" Certificate

  2. Modify \RP-STS_SAML\Web.config.

    Replace Enterprise_EncryptingCertificate_Name with the actual value.

  3. Modify the SP Connection (Relying Party Trust) that you created earlier from the PingFederate Admin Console.
    1. Copy ChangepointSigningCertificate.cer from the configuration directory of to a local folder on the SAML Provider Server.
    2. Log in to the PingFederate Admin Console, e.g.,

      https://pingfederateserver/pingfederate/app

    3. Select the SP Connection that you created earlier.
    4. Select Encryption Policy.
    5. Select The entire assertion, then click Done, Done, Save.
    6. Select "Configure Credentials".
    7. Select "Manage Certificates".
    8. Select "Import".
    9. Browse to the location of the certificate that you copied above, and then click Next.
    10. Select "Make this the active certificate" and click Done, Done, Done, Save.