{"_id":"59b320ae8ccd86003ac80ccc","project":"55d535ca988e130d000b3f5c","version":{"_id":"55d535cb988e130d000b3f5f","__v":12,"project":"55d535ca988e130d000b3f5c","hasDoc":true,"hasReference":false,"createdAt":"2015-08-20T02:04:59.052Z","releaseDate":"2015-08-20T02:04:59.052Z","categories":["55d535cc988e130d000b3f60","55d6b238d2a8eb1900109eef","55d6b4f3250d7d0d004274cd","55d7967960fc730d00fc2852","55da9804e835f20d009fc5d0","55e75b1de06f4b190080dbfd","55e75b39e06f4b190080dbfe","55e75b7ae06f4b190080dbff","564f5a4e33082f0d001bb709","570fb64aa38d470e0060cbff","586d0dd89a854123001acd65","586d0e3b9a854123001acd66"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"55e75b7ae06f4b190080dbff","__v":10,"project":"55d535ca988e130d000b3f5c","version":"55d535cb988e130d000b3f5f","pages":["5637e17197666c0d008656a5","569591a4fcb1032d0089e037","569622eafe18811700c9c19b","5696c9588560a60d00e2c1e0","569709ca0b09a41900b2442b","5697129ac8ded91700307b77","5697190a59a6692d003fad6a","5697192969393517000c8280","569f11908f6d4b0d00f13bb2","56a0030b5b981c2b00383df0"],"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-09-02T20:26:34.258Z","from_sync":false,"order":4,"slug":"frame-platform","title":"Frame Platform"},"user":"56461e119f3f550d00fa3da2","__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-09-08T22:58:54.319Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":23,"body":"## Introduction\nIntegrating PingFederate Single Single-On (SSO) is a quick and easy process.\n\nIf you would like to integrate using the FrameAPP API, much of this is the same, but you will want to talk to your Frame Account Manager to discuss integration options.\n\nThere are four things we are going to cut and paste from one system to the other.\n\n+ The Frame **Custom Authentication Name**. This is a name you pick when you create the custom authentication (see below).\n+ The Frame **Team URL** for the Frame account you want users to access.\n+ The PingFederate  **Federation Metadata Document URL**. This is a URL where PingFederate keeps the SAML Metadata for your account.\n\nFollowing the steps below, you can find these values and copy them from PingFederate to Frame and from Frame to PingFederate. This process should take less than fifteen minutes.\n\nFirst, make sure that you have a Platform Ultimate, sometimes called a \"Super Admin,\" account with Custom Authentication enabled. When this is enabled, you should see the \"Custom Authentications\" section in the Account menu for your Platform Ultimate account. If it is not enabled or if you aren't sure, contact your Frame Account Manager and ask about Custom Authentication.\n\n## Step One: Create The Custom Authentication\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/e00a8eb-1.png\",\n        \"1.png\",\n        635,\n        454,\n        \"#dbe1e1\"\n      ]\n    }\n  ]\n}\n[/block]\nYou will find the Custom Authentications option under the Account Menu for your Platform Ultimate account\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/5f71b76-2.png\",\n        \"2.png\",\n        613,\n        216,\n        \"#649b7d\"\n      ]\n    }\n  ]\n}\n[/block]\nThe section you want is near the bottom of the page. Click \"Add New\"\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/e18f049-3.png\",\n        \"3.png\",\n        763,\n        788,\n        \"#eaeeec\"\n      ]\n    }\n  ]\n}\n[/block]\nCreate a unique Custom Authentication name. The name should be something no one else will use and and it should be a valid hostname. This means it should be lower case, and have only letters, numbers, and the dash symbol, no spaces or punctuation are allowed. Select the account or accounts where users from this directory should be able to login.\n\nThe Entity ID will default to https://img.mainframe2.com if left blank, but can be set to any value required by your identity provider.\n\nCheck \"Signed SAML2 Assertion\"\n\nMake sure \"Signed SAML2 Response\" is unchecked. - If you want to use signed responses, Frame supports this feature, but you will have to enable encrypted responses to enable this feature in Ping. \n\nClick \"Add\"\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/cd0a2b1-4.png\",\n        \"4.png\",\n        1663,\n        741,\n        \"#395b77\"\n      ]\n    }\n  ]\n}\n[/block]\nWe will also want the Team URL from the account you want Users to access. You can find the Team URL by impersonating the account and looking in the location bar of your browser. In this example the Team URL is https://bill-2017-05-10-1.fra.me\n\nThat's all we need from Frame. Now let's gather what we need from PingFederate\n\n## Step 2: Setup PingFederate\n\n### Creating a service provider connection\n\nUnder **SP Connections**, click the **Create New** button.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/1e84576-5.png\",\n        \"5.png\",\n        1999,\n        848,\n        \"#e4eae9\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect the **Browser SSO Profiles** connection template on the **Connection Type** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/77746b2-6.png\",\n        \"6.png\",\n        1999,\n        816,\n        \"#e9eded\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect Browser SSO on the Connection Options tab and click Next.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/c965f5c-7.png\",\n        \"7.png\",\n        1999,\n        827,\n        \"#e9eded\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect **URL** as the method for importing metadata and enter the Frame Metadata URL in NEW URL field. Click Load Metadata to test metadata import. Click **Next**. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/d451237-8.png\",\n        \"8.png\",\n        1999,\n        924,\n        \"#eaeeed\"\n      ]\n    }\n  ]\n}\n[/block]\nThis example shows an img-development.fra.me url. Your URL will look like img.mainframe2.com/metadata/[Custom Authentication Name]/, e.g. https://img.mainframe2.com/metadata/mycompany-saml2/\n\nReview the information on the **Metadata Summary** tab and click **Next**.\nEnsure that the **Partner’s Entity ID**, **Connection Name**, and **Base URL** fields are pre-populated based on the metadata. Click **Next**.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/31178e8-9.png\",\n        \"9.png\",\n        1999,\n        840,\n        \"#ecefee\"\n      ]\n    }\n  ]\n}\n[/block]\nYour information will be different, but all of the same fields should be populated.\n\nClick **Configure Browser SSO** on the **Browser SSO** tab.\nSelect the **SP-Initiated SSO** and **SP-Initiated SLO** options on the **SAML Profiles** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/ea4af1f-10.png\",\n        \"10.png\",\n        1999,\n        854,\n        \"#eaeded\"\n      ]\n    }\n  ]\n}\n[/block]\nFrame Custom Authentications only support SP-Initiated SSO by default. If you require IDP-initiated SSO, please contact your Frame account manager or support:::at:::fra.me and request a meeting with a Solution Architect for Authentication.\n\nEnter your desired assertion validity time from on the **Assertion Lifetime** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/5a728c8-11.png\",\n        \"11.png\",\n        1999,\n        811,\n        \"#e9eded\"\n      ]\n    }\n  ]\n}\n[/block]\nClick **Configure Assertion Creation** on the **Assertion Creation** tab.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/0eaa5a3-12.png\",\n        \"12.png\",\n        1999,\n        826,\n        \"#eaeeee\"\n      ]\n    }\n  ]\n}\n[/block]\nChoose the **PSEUDONYM** option and check *INCLUDE ATTRIBUTE IN ADDITION TO PSEUDONYM** on the **Identity Mapping** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/9c4bb0d-13.png\",\n        \"13.png\",\n        1999,\n        830,\n        \"#e9ecec\"\n      ]\n    }\n  ]\n}\n[/block]\nThe pseudonym option is necessary here to support persistent nameids. Without persistent nameids, each time a user authenticates, Frame will create a new user account. This can cause issues with, for instance, persistent user profiles.\n\nAdd additional attributes givenName, sn and mail on the **Attribute Contract** tab and click **Next**.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/0ba4d19-14.png\",\n        \"14.png\",\n        2526,\n        1012,\n        \"#ebefef\"\n      ]\n    }\n  ]\n}\n[/block]\nNote that these names must be exactly as shown\n+ givenName\n+ mail\n+ sn\n\n\n\nClick **Map New Adapter Instance** on the **Authentication Source Mapping** tab.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/880e865-15.png\",\n        \"15.png\",\n        1999,\n        831,\n        \"#e8edec\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect an **Adapter Instance** and click **Next**. \n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/be79dc3-16.png\",\n        \"16.png\",\n        1999,\n        905,\n        \"#ecefef\"\n      ]\n    }\n  ]\n}\n[/block]\nNote that this is just an example that was already configured in this Ping instance. Create a Ping adapter that is appropriate for your directory. Creating Ping adapters is beyond the scope of this document. Please see the [Ping Federate Documentation](https://docs.pingidentity.com/bundle/pfiwa31_sm_IWAIntegrationKit/page/pfiwa31_t_ConfigureAdapterInPingFederate.html) for more information.\n\nSelect the **Use only the adapter contract values in the SAML assertion** option on the **Mapping Method** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/859b9a6-17.png\",\n        \"17.png\",\n        1999,\n        845,\n        \"#eaeeed\"\n      ]\n    }\n  ]\n}\n[/block]\nHere we are using only the Adapter Contract Values in the SAML Assertion. This is only an example and you may use another approach depending on what works best for your requirements. If you need Frame to recognize other attributes, please contact your Account Manager or support@fra.me to request a meeting with a Solution Architect for Authentication.\n\nSelect your adapter instance as the **Source** and the appropriate values as the Value for additional attributes on the **Attribute Contract Fulfillment** tab and click **Next**.\n \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/b61d53c-18.png\",\n        \"18.png\",\n        1999,\n        824,\n        \"#ebeeee\"\n      ]\n    }\n  ]\n}\n[/block]\n(Optional) Select any authorization conditions you would like on the **Issuance Criteria** tab and click **Next**.\nClick **Done** on the **Summary** tab.\nClick **Next** on the **Authentication Source Mapping** tab.\nClick **Done** on the **Summary** tab.\nClick **Next** on the **Assertion Creation** tab.\nClick **Configure Protocol Settings** on the **Protocol Settings** tab.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/bc0c819-19.png\",\n        \"19.png\",\n        1999,\n        837,\n        \"#eaeeed\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect POST for **Binding** and specify the single sign-on endpoint url in the **Endpoint URL** field on the **Assertion Consumer Service URL** tab. Click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/c6ebbf6-20.png\",\n        \"20.png\",\n        1999,\n        820,\n        \"#e9edec\"\n      ]\n    }\n  ]\n}\n[/block]\nNote that the SSO Endpoint URL will be in the form [https://img.mainframe2.com/saml2/done/[Custom Authentication Name]](#). For our example this will look like https://img.mainframe2.com/saml2/done/mycompany-saml\n\nSelect Redirect for **Binding** and specify the single logout endpoint url in the **Endpoint URL** field on the **SLO Service Service URLs** tab. Click **Next**.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/39c40de-21.png\",\n        \"21.png\",\n        1999,\n        827,\n        \"#e9edec\"\n      ]\n    }\n  ]\n}\n[/block]\nNote that the SLO Endpoint URL will be in the form [https://img.mainframe2.com/saml2/slo/[Custom Authentication Name]](#). For our example this will look like https://img.mainframe2.com/saml2/slo/mycompany-saml\n\nSelect **POST** and **Redirect** on the **Allowable SAML Bindings** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/2dab471-22.png\",\n        \"22.png\",\n        1999,\n        825,\n        \"#e9eeed\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect your desired signature policies for assertions on the **Signature Policy** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/526184e-23.png\",\n        \"23.png\",\n        1999,\n        825,\n        \"#e6ebea\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect your desired encryption policy for assertions on the **Encryption Policy** tab and click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/aebc096-24.png\",\n        \"24.png\",\n        1999,\n        835,\n        \"#e9eded\"\n      ]\n    }\n  ]\n}\n[/block]\nClick **Done** on the **Protocol Settings Summary** tab.\nClick **Done** on the **Browser SSO Summary** tab.\nClick **Configure Credentials** on the **Credentials** tab.\nSelect the **Signing Certificate** to use with the Single Sign-On service and select **Include the certificate in the signature element**. Click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/f725436-25.png\",\n        \"25.png\",\n        1999,\n        839,\n        \"#eaeded\"\n      ]\n    }\n  ]\n}\n[/block]\nClick **Manage Signature Verification Settings** on the **Signature Verification Settings** tab.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/509b58d-26.png\",\n        \"26.png\",\n        1999,\n        827,\n        \"#e3eae9\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect the ANCHORED Trust Model on **Trust Model** tab. Click **Next**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/52a0f00-27.png\",\n        \"27.png\",\n        2518,\n        998,\n        \"#e7edec\"\n      ]\n    }\n  ]\n}\n[/block]\nThe ANCHORED trust model will require a certificate signed by a recognized Certificate Authority CA. \n\nSelect certificate imported with SP metadata on **Signature Verification Certificate** tab. Click **Next**. \nClick **Done** on the **Manage Signature Verification Settings Summary** tab.\nClick **Done** on the **Configure Credentials Summary** tab.\nSelect **Active** for the **Connection Status** on the **Activation & Summary** tab and click **Save**.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/499ca61-28.png\",\n        \"28.png\",\n        1999,\n        846,\n        \"#ecefef\"\n      ]\n    }\n  ]\n}\n[/block]\n### Step 3: Obtain metadata info\n\nNow we need to share the information about this connection back to Frame. The way we do that is to copy a PingFederate MetaData URL from PingFederate and Paste it back into the Frame Custom Authentication.\n\n#### Create a metadata URL\n\nGo to the **Server Configuration → Server Settings → Federation Info** screen.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/7b131f1-29.png\",\n        \"29.png\",\n        1999,\n        813,\n        \"#445866\"\n      ]\n    }\n  ]\n}\n[/block]\nCopy the **Base URL** value.\nAppend the federation metadata endpoint (**/pf/federation_metadata.ping**) to the base URL.\nAdd a query parameter to identify your partner by its entity ID (**?PartnerSpId=partnerEntityId**). You can check Entity Id by going to **IdP Configuration -> SP CONNECTIONS -> <SP Connection Name>**. On **Activation & Summary** tab check **General Info** section and **Partner's Entity ID (Connection ID)** field.\nExample: **https://ec2-54-93-163-210.eu-central-1.compute.amazonaws.com:9031/pf/federation_metadata.ping?PartnerSpId=img-develop.fra.me**\n\n### Step 4: Paste Federation Metadata Document URL into the Frame Custom Authentication\n\nGo back to Frame. Go to your Platform Ultimate Account menu.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/48efe0d-image12.png\",\n        \"image12.png\",\n        1605,\n        407,\n        \"#e9f0f0\"\n      ]\n    }\n  ]\n}\n[/block]\n  Edit the Custom Authentication you created earlier.\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/08c7f37-31.png\",\n        \"31.png\",\n        761,\n        780,\n        \"#e9edeb\"\n      ],\n      \"caption\": \"\"\n    }\n  ]\n}\n[/block]\nPaste the Federation Metadata Document URL into the Customer Metatdata URL field.\n\nNote that we selected Signed SAML2 Assertion earlier, and either Signed SAML2 Assertion or Signed SAML2 Response may be selected, but not both, unless encryption is enabled in Ping Federate.\n\nClick \"Save Changes\"\n\nIf your organization's network policies do not allow access to the Federation Metadata Document URL, we can also copy your Metadata Document manually. Please contact support@fra.me and provide the name of your Custom Authentication for help.\n\n## Using the New Custom Authentication\n\nUsers will now be able to authenticate using the Sign-on URL \n\n**https://img.mainframe2.com/login/?account_type=[CUSTOM_AUTHENTICATION_NAME]&return_url=ttps://[TEAM_URL].fra.me/custom_authh_return**\n\nFor our example this would be:\n\n**https://img.mainframe2.com/login/?account_type=mycompany-saml2&return_url=https://bill-2017-05-10-1.fra.me/custom_auth_return**","excerpt":"","slug":"integrating-with-ping-federate","type":"basic","title":"Integrating with Ping Federate"}

Integrating with Ping Federate


## Introduction Integrating PingFederate Single Single-On (SSO) is a quick and easy process. If you would like to integrate using the FrameAPP API, much of this is the same, but you will want to talk to your Frame Account Manager to discuss integration options. There are four things we are going to cut and paste from one system to the other. + The Frame **Custom Authentication Name**. This is a name you pick when you create the custom authentication (see below). + The Frame **Team URL** for the Frame account you want users to access. + The PingFederate **Federation Metadata Document URL**. This is a URL where PingFederate keeps the SAML Metadata for your account. Following the steps below, you can find these values and copy them from PingFederate to Frame and from Frame to PingFederate. This process should take less than fifteen minutes. First, make sure that you have a Platform Ultimate, sometimes called a "Super Admin," account with Custom Authentication enabled. When this is enabled, you should see the "Custom Authentications" section in the Account menu for your Platform Ultimate account. If it is not enabled or if you aren't sure, contact your Frame Account Manager and ask about Custom Authentication. ## Step One: Create The Custom Authentication [block:image] { "images": [ { "image": [ "https://files.readme.io/e00a8eb-1.png", "1.png", 635, 454, "#dbe1e1" ] } ] } [/block] You will find the Custom Authentications option under the Account Menu for your Platform Ultimate account [block:image] { "images": [ { "image": [ "https://files.readme.io/5f71b76-2.png", "2.png", 613, 216, "#649b7d" ] } ] } [/block] The section you want is near the bottom of the page. Click "Add New" [block:image] { "images": [ { "image": [ "https://files.readme.io/e18f049-3.png", "3.png", 763, 788, "#eaeeec" ] } ] } [/block] Create a unique Custom Authentication name. The name should be something no one else will use and and it should be a valid hostname. This means it should be lower case, and have only letters, numbers, and the dash symbol, no spaces or punctuation are allowed. Select the account or accounts where users from this directory should be able to login. The Entity ID will default to https://img.mainframe2.com if left blank, but can be set to any value required by your identity provider. Check "Signed SAML2 Assertion" Make sure "Signed SAML2 Response" is unchecked. - If you want to use signed responses, Frame supports this feature, but you will have to enable encrypted responses to enable this feature in Ping. Click "Add" [block:image] { "images": [ { "image": [ "https://files.readme.io/cd0a2b1-4.png", "4.png", 1663, 741, "#395b77" ] } ] } [/block] We will also want the Team URL from the account you want Users to access. You can find the Team URL by impersonating the account and looking in the location bar of your browser. In this example the Team URL is https://bill-2017-05-10-1.fra.me That's all we need from Frame. Now let's gather what we need from PingFederate ## Step 2: Setup PingFederate ### Creating a service provider connection Under **SP Connections**, click the **Create New** button. [block:image] { "images": [ { "image": [ "https://files.readme.io/1e84576-5.png", "5.png", 1999, 848, "#e4eae9" ] } ] } [/block] Select the **Browser SSO Profiles** connection template on the **Connection Type** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/77746b2-6.png", "6.png", 1999, 816, "#e9eded" ] } ] } [/block] Select Browser SSO on the Connection Options tab and click Next. [block:image] { "images": [ { "image": [ "https://files.readme.io/c965f5c-7.png", "7.png", 1999, 827, "#e9eded" ] } ] } [/block] Select **URL** as the method for importing metadata and enter the Frame Metadata URL in NEW URL field. Click Load Metadata to test metadata import. Click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/d451237-8.png", "8.png", 1999, 924, "#eaeeed" ] } ] } [/block] This example shows an img-development.fra.me url. Your URL will look like img.mainframe2.com/metadata/[Custom Authentication Name]/, e.g. https://img.mainframe2.com/metadata/mycompany-saml2/ Review the information on the **Metadata Summary** tab and click **Next**. Ensure that the **Partner’s Entity ID**, **Connection Name**, and **Base URL** fields are pre-populated based on the metadata. Click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/31178e8-9.png", "9.png", 1999, 840, "#ecefee" ] } ] } [/block] Your information will be different, but all of the same fields should be populated. Click **Configure Browser SSO** on the **Browser SSO** tab. Select the **SP-Initiated SSO** and **SP-Initiated SLO** options on the **SAML Profiles** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/ea4af1f-10.png", "10.png", 1999, 854, "#eaeded" ] } ] } [/block] Frame Custom Authentications only support SP-Initiated SSO by default. If you require IDP-initiated SSO, please contact your Frame account manager or support@fra.me and request a meeting with a Solution Architect for Authentication. Enter your desired assertion validity time from on the **Assertion Lifetime** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/5a728c8-11.png", "11.png", 1999, 811, "#e9eded" ] } ] } [/block] Click **Configure Assertion Creation** on the **Assertion Creation** tab. [block:image] { "images": [ { "image": [ "https://files.readme.io/0eaa5a3-12.png", "12.png", 1999, 826, "#eaeeee" ] } ] } [/block] Choose the **PSEUDONYM** option and check *INCLUDE ATTRIBUTE IN ADDITION TO PSEUDONYM** on the **Identity Mapping** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/9c4bb0d-13.png", "13.png", 1999, 830, "#e9ecec" ] } ] } [/block] The pseudonym option is necessary here to support persistent nameids. Without persistent nameids, each time a user authenticates, Frame will create a new user account. This can cause issues with, for instance, persistent user profiles. Add additional attributes givenName, sn and mail on the **Attribute Contract** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/0ba4d19-14.png", "14.png", 2526, 1012, "#ebefef" ] } ] } [/block] Note that these names must be exactly as shown + givenName + mail + sn Click **Map New Adapter Instance** on the **Authentication Source Mapping** tab. [block:image] { "images": [ { "image": [ "https://files.readme.io/880e865-15.png", "15.png", 1999, 831, "#e8edec" ] } ] } [/block] Select an **Adapter Instance** and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/be79dc3-16.png", "16.png", 1999, 905, "#ecefef" ] } ] } [/block] Note that this is just an example that was already configured in this Ping instance. Create a Ping adapter that is appropriate for your directory. Creating Ping adapters is beyond the scope of this document. Please see the [Ping Federate Documentation](https://docs.pingidentity.com/bundle/pfiwa31_sm_IWAIntegrationKit/page/pfiwa31_t_ConfigureAdapterInPingFederate.html) for more information. Select the **Use only the adapter contract values in the SAML assertion** option on the **Mapping Method** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/859b9a6-17.png", "17.png", 1999, 845, "#eaeeed" ] } ] } [/block] Here we are using only the Adapter Contract Values in the SAML Assertion. This is only an example and you may use another approach depending on what works best for your requirements. If you need Frame to recognize other attributes, please contact your Account Manager or support@fra.me to request a meeting with a Solution Architect for Authentication. Select your adapter instance as the **Source** and the appropriate values as the Value for additional attributes on the **Attribute Contract Fulfillment** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/b61d53c-18.png", "18.png", 1999, 824, "#ebeeee" ] } ] } [/block] (Optional) Select any authorization conditions you would like on the **Issuance Criteria** tab and click **Next**. Click **Done** on the **Summary** tab. Click **Next** on the **Authentication Source Mapping** tab. Click **Done** on the **Summary** tab. Click **Next** on the **Assertion Creation** tab. Click **Configure Protocol Settings** on the **Protocol Settings** tab. [block:image] { "images": [ { "image": [ "https://files.readme.io/bc0c819-19.png", "19.png", 1999, 837, "#eaeeed" ] } ] } [/block] Select POST for **Binding** and specify the single sign-on endpoint url in the **Endpoint URL** field on the **Assertion Consumer Service URL** tab. Click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/c6ebbf6-20.png", "20.png", 1999, 820, "#e9edec" ] } ] } [/block] Note that the SSO Endpoint URL will be in the form [https://img.mainframe2.com/saml2/done/[Custom Authentication Name]](#). For our example this will look like https://img.mainframe2.com/saml2/done/mycompany-saml Select Redirect for **Binding** and specify the single logout endpoint url in the **Endpoint URL** field on the **SLO Service Service URLs** tab. Click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/39c40de-21.png", "21.png", 1999, 827, "#e9edec" ] } ] } [/block] Note that the SLO Endpoint URL will be in the form [https://img.mainframe2.com/saml2/slo/[Custom Authentication Name]](#). For our example this will look like https://img.mainframe2.com/saml2/slo/mycompany-saml Select **POST** and **Redirect** on the **Allowable SAML Bindings** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/2dab471-22.png", "22.png", 1999, 825, "#e9eeed" ] } ] } [/block] Select your desired signature policies for assertions on the **Signature Policy** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/526184e-23.png", "23.png", 1999, 825, "#e6ebea" ] } ] } [/block] Select your desired encryption policy for assertions on the **Encryption Policy** tab and click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/aebc096-24.png", "24.png", 1999, 835, "#e9eded" ] } ] } [/block] Click **Done** on the **Protocol Settings Summary** tab. Click **Done** on the **Browser SSO Summary** tab. Click **Configure Credentials** on the **Credentials** tab. Select the **Signing Certificate** to use with the Single Sign-On service and select **Include the certificate in the signature element**. Click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/f725436-25.png", "25.png", 1999, 839, "#eaeded" ] } ] } [/block] Click **Manage Signature Verification Settings** on the **Signature Verification Settings** tab. [block:image] { "images": [ { "image": [ "https://files.readme.io/509b58d-26.png", "26.png", 1999, 827, "#e3eae9" ] } ] } [/block] Select the ANCHORED Trust Model on **Trust Model** tab. Click **Next**. [block:image] { "images": [ { "image": [ "https://files.readme.io/52a0f00-27.png", "27.png", 2518, 998, "#e7edec" ] } ] } [/block] The ANCHORED trust model will require a certificate signed by a recognized Certificate Authority CA. Select certificate imported with SP metadata on **Signature Verification Certificate** tab. Click **Next**. Click **Done** on the **Manage Signature Verification Settings Summary** tab. Click **Done** on the **Configure Credentials Summary** tab. Select **Active** for the **Connection Status** on the **Activation & Summary** tab and click **Save**. [block:image] { "images": [ { "image": [ "https://files.readme.io/499ca61-28.png", "28.png", 1999, 846, "#ecefef" ] } ] } [/block] ### Step 3: Obtain metadata info Now we need to share the information about this connection back to Frame. The way we do that is to copy a PingFederate MetaData URL from PingFederate and Paste it back into the Frame Custom Authentication. #### Create a metadata URL Go to the **Server Configuration → Server Settings → Federation Info** screen. [block:image] { "images": [ { "image": [ "https://files.readme.io/7b131f1-29.png", "29.png", 1999, 813, "#445866" ] } ] } [/block] Copy the **Base URL** value. Append the federation metadata endpoint (**/pf/federation_metadata.ping**) to the base URL. Add a query parameter to identify your partner by its entity ID (**?PartnerSpId=partnerEntityId**). You can check Entity Id by going to **IdP Configuration -> SP CONNECTIONS -> <SP Connection Name>**. On **Activation & Summary** tab check **General Info** section and **Partner's Entity ID (Connection ID)** field. Example: **https://ec2-54-93-163-210.eu-central-1.compute.amazonaws.com:9031/pf/federation_metadata.ping?PartnerSpId=img-develop.fra.me** ### Step 4: Paste Federation Metadata Document URL into the Frame Custom Authentication Go back to Frame. Go to your Platform Ultimate Account menu. [block:image] { "images": [ { "image": [ "https://files.readme.io/48efe0d-image12.png", "image12.png", 1605, 407, "#e9f0f0" ] } ] } [/block] Edit the Custom Authentication you created earlier. [block:image] { "images": [ { "image": [ "https://files.readme.io/08c7f37-31.png", "31.png", 761, 780, "#e9edeb" ], "caption": "" } ] } [/block] Paste the Federation Metadata Document URL into the Customer Metatdata URL field. Note that we selected Signed SAML2 Assertion earlier, and either Signed SAML2 Assertion or Signed SAML2 Response may be selected, but not both, unless encryption is enabled in Ping Federate. Click "Save Changes" If your organization's network policies do not allow access to the Federation Metadata Document URL, we can also copy your Metadata Document manually. Please contact support@fra.me and provide the name of your Custom Authentication for help. ## Using the New Custom Authentication Users will now be able to authenticate using the Sign-on URL **https://img.mainframe2.com/login/?account_type=[CUSTOM_AUTHENTICATION_NAME]&return_url=ttps://[TEAM_URL].fra.me/custom_authh_return** For our example this would be: **https://img.mainframe2.com/login/?account_type=mycompany-saml2&return_url=https://bill-2017-05-10-1.fra.me/custom_auth_return**