Flexible Identity Federation Administration guide version 1.0.1
Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services 2 of 89
Welcome Your company has chosen Flexible Identity Federation to protect online corporate identities and corporate data from unauthorized access. This guide provides: Flexible Identity Federation administration guide Identity bridge, applications and basic SSO configuration guide Troubleshooting guide Copyright Orange Business Services 3 of 89
Contents 1 About this document... 7 1.1 Prerequisites... 7 1.2 Purpose of this document... 7 1.3 Document convention... 7 1.3.1 Navigation toolbar... 7 1.3.2 The icons... 7 1.4 Terminology... 8 1.4.1 PingOne terms... 8 1.4.2 Orange Business Services terms... 8 1.5 Identity Federation... 9 2 Identity Bridge... 9 2.1 Overview of Identity bridges... 9 2.2 PingOne AD Connect... 9 2.2.1 PingOne AD Connect light... 9 2.2.2 PingOne AD Connect full with IIS... 18 2.2.3 Provisioning with PingOne AD Connect... 41 2.3 PingOne Directory... 42 2.3.1 Processing steps for authentication... 42 2.3.2 Set PingOne Directory as Identity Bridge... 43 2.3.3 Modify the password policy for the PingOne Directory users... 43 2.3.4 Create users in PingOne Directory... 44 2.3.5 Delete a user from PingOne Directory... 48 2.3.6 Disable a user from PingOne Directory... 48 2.3.7 Modify a user... 48 2.4 3rd party SAML... 49 2.4.1 Processing steps for authentication... 49 2.4.2 Configuration of the 3rd party SAML IDP... 49 2.4.3 Set a 3rd party SAML IDP as Identity Bridge:... 50 2.5 PingFederate... 50 2.5.1 Processing steps for authentication... 50 2.5.2 Configuration of PingFederate... 50 2.6 Google Apps for business... 51 Copyright Orange Business Services 4 of 89
2.6.1 Processing steps for authentication... 51 2.6.2 Authorization for PingOne... 52 2.6.3 Set Google Apps as an identity provider... 52 3 Basic use... 58 3.1 Administrator connection to PingOne... 58 3.2 User connection to PingOne Dock... 59 4 PingOne administration... 59 4.1 Create administrator accounts... 59 4.2 Give access to administration portal to users... 60 4.2.1 With PingOne Directory as an Identity Bridge... 60 4.2.2 With other Identity Bridges... 61 4.3 Access to the PingOne administration environment through the PingOne Dock (for users) 62 5 Service customization... 62 5.1 Customize the PingOne dock... 62 5.2 Customize the PingOne AD Connect full with a specific IIS login page... 63 5.2.1 Preparing the customization archive... 63 5.2.2 Substitution template symbols and constructions per page... 64 5.2.3 Install the customization archive... 66 6 Managing application in PingOne... 66 6.1 Add an application... 66 6.1.1 Application from the PingOne Catalog... 66 6.1.2 SAML application... 67 6.1.3 Basic SSO application... 69 6.2 User management for applications... 69 6.2.1 Create groups in PingOne Directory... 69 6.2.2 Add a group in PingOne (except for PingOne Directory)... 70 6.2.3 Authorize Group Access to Applications... 70 7 PingOne Browser extension... 70 7.1 Manual setup of the PingOne Browser Extension... 70 7.2 Automatic installation through Windows GPO (on Windows domains only)... 70 8 Enable IWA with Browser clients (AD Connect)... 75 8.1 Enable IWA in the PingOne admin portal... 75 8.2 Enable IWA for Mozilla Firefox... 76 Copyright Orange Business Services 5 of 89
8.3 Enable IWA for Internet Explorer... 77 8.4 Enable IWA for Google Chrome... 79 9 Reports... 79 9.1 Global reports... 79 9.1.1 Display the global reports... 79 9.1.2 Download the global reports... 80 9.2 Information logged by Flexible Identity Federation service... 80 9.2.1 Federated SSO Transaction... 81 9.2.2 Basic SSO Transaction... 82 10 Security... 83 10.1 IP addresses used by the PingOne services... 83 10.2 PingOne endpoints... 83 11 Troubleshooting... 84 11.1 Authentication with PingOne AD Connect full with IIS does not working... 84 11.2 Authentication with PingOne AD Connect does not working... 85 11.3 SAML assertion... 85 11.4 SAML tracer... 87 11.5 PingOne service IP address... 88 Copyright Orange Business Services 6 of 89
1 About this document 1.1 Prerequisites Your PingOne environment has been set up with the help of the Orange Business Services team. Your identity bridge is configured and allows your users to connect to one SaaS application. This document is intended to be understood by readers who already have a comprehensive knowledge of identity federation in general and the Flexible Identity Federation product. If this is not the case, we strongly recommend you read the Flexible Identity Federation Quick start guide. 1.2 Purpose of this document This document gives instructions for general use of the Flexible Identity Federation service environment. You will find the information for general use, including how to add new applications and get the reporting logs. 1.3 Document convention 1.3.1 Navigation toolbar 1.3.1.1 Definition Throughout this document, navigation toolbars show you which path you must follow to access each feature. 1.3.1.2 Format 1 2 3 Field Description Supported values 1 2 Environment to use Account banner options PingOne Administrator Desktop i.e. https://admin.pingone.com PingOne Dock (for users) i.e. https://desktop.pingone.eu/yourdomain Dashboard Applications Users Setup Account Customers (only with an MSP Account) 3 Too many values to be listed here 1.3.2 The icons The Alert icon is used to draw your attention to important information. Copyright Orange Business Services 7 of 89
The Skip icon is used to draw your attention to chapter(s) to skip in certain circumstances. 1.4 Terminology Several terms and their meaning are important in order to understand the information presented in this document. 1.4.1 PingOne terms Ping Admin: Web portal for Flexible Identity administrators. PingOne Dock: Web portal for users that presents their cloud applications. Used to be named PingOne Desktop. Ping Backend: Ping s servers that perform backend tasks in the solution. PingOne AD Connect Agent: Lightweight agent used as an Identity Bridge to interact with the customer Microsoft Active Directory domain. Identity Bridge: Component that enables the connection from the customer corporate network to the PingOne services in the cloud. Integrated Windows Authentication (IWA): Authentication method on Windows clients and servers that does not prompt the user for their credentials. Instead it uses the current Windows user information on the client computer. PingOne CAS: Name of the Ping identity cloud solution. CAS stands for Cloud Access Service. Cloud User Service: Internal storage of identities for low range company. Federated Application: Application configured to be aware of federation protocols. Cloud Application or SaaS Application: Application hosted in the cloud, as opposed to an application hosted on the customer s premises. Can be a federated application or a previous application using login/password as credential. Single Sign-On (SSO): Property to log in once and then to have access to multiple resources without being prompted to log in again. Single Log-Out (SLO): Property to log out once from one of the federated resources and being automatically disconnected from all the other federated resources. Security Assertion Markup Language (SAML): XML-based open standard data format created to exchange authentication and authorization data between an identity provider and a service provider. 1.4.2 Orange Business Services terms Managed Service Provider (MSP): Orange Business Services Virtual Service Provider account created from the PingOne Service Provider level. For better understanding, this account is considered as a Server Provider (SP) because it Copyright Orange Business Services 8 of 89
is the root of the FEDID accounts hierarchy. The related Virtual Server stores Orange SP Administrator accounts. 1.5 Identity federation Before starting with the PingOne product, it is important to understand the identity federation concepts and focus on the SAML standard as it is the federation standard chosen by PingOne. Please refer to the Flexible Identity Federation Quick start guide for a better understanding of the solution and associated technologies. 2 Identity bridge 2.1 Overview of identity bridges Identity bridges are used by PingOne to match your local user accounts from your identity repositories to your cloud user accounts. Select your identity bridge depending on the type of the identity repository needed by your organization. Your identity bridge was set up initially by the Orange Business Services team. As changing the type of the identity bridge has a considerable impact on your access to cloud applications, do not change your identity bridge without contacting the Orange Business Services team. 2.2 PingOne AD Connect The PingOne AD Connect identity bridge allows you to use your corporate Active Directory as an identity repository, so your users will use their corporate credentials to connect to their PingOne dock. Furthermore, with AD Connect you can enable Integrated Windows Authentication (IWA) to automatically authenticate user requests coming from your organization s network. Two types of PingOne AD Connect are available: AD Connect light AD Connect Full with IIS It is recommended to use AD Connect light as it is easy to install and manage. With AD Connect with IIS, a load balancing infrastructure and a Public Key Infrastructure are needed. 2.2.1 PingOne AD Connect light 2.2.1.1 Processing steps for user authentication without IWA PingOne AD Connect light opens a secure channel for communications with PingOne servers using the 443 port. PingOne sends authentication requests through this channel. If the PingOne AD Connect does not open the secure channel, user authentication can not be performed. These are the processing steps for authentication with AD Connect if the user is outside their corporate network: Copyright Orange Business Services 9 of 89
1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne server (sso.connect.pingidentity.com). 3) The PingOne server provides a logon page and the user must enter their corporate credentials. 4) PingOne sends an authentication request to the 1st AD Connect available on your network. This request is sent through a secure channel (WebSocket SSL on port 443). 5) AD Connect authenticates the user against the corporate Active Directory and retrieves the user attributes. 6) AD Connect returns an authentication response to the PingOne server containing the authentication assertion and any additional attributes. The assertion response is sent through the secure channel. 7) The PingOne server redirects the user (with an HTTP redirect) to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 8) The user gets access to their PingOne dock. 2.2.1.2 Processing steps for user authentication with IWA Each user's initial SSO to the PingOne dock always uses the WebSocket back channel as described in 2.2.1.1, regardless of whether or not the user is located in your organization's network. To use the Integrated Windows Authentication, the user must use a computer inside their corporate network. They must have used their corporate Active Directory credentials to log on on their computer. These are the processing steps for authentication with IWA: Copyright Orange Business Services 10 of 89
1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne server (sso.connect.pingidentity.com). 3) PingOne sends (through the user browser) an authentication request to the 1st AD Connect light available on your network with a unique authentication request ID. This request ID is encrypted with the public key of the AD Connect instance. 4) AD Connect uses the user s Kerberos ticket to authenticate the user. 5) AD Connect retrieves the user attributes from the Active Directory and creates an assertion containing the set of attributes for the user. This assertion is stored in the AD Connect host with the authentication request ID from step 3. 6) AD Connect performs a simple redirect sending the user back to PingOne without any data. 7) The client browser sends (via SSL) the cookie containing the authentication request ID to the PingOne Server. 8) The PingOne server sends an assertion retrieval request to AD Connect using the WebSocket back channel and the authentication request ID. 9) AD Connect retrieves then removes the in-memory assertion and sends the response to PingOne as a signed token. 10) The PingOne server redirects the user (with an HTTP redirect) to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 11) The user gets access to their PingOne dock. Copyright Orange Business Services 11 of 89
2.2.1.3 Prerequisites The platform must be one of the following: Microsoft Windows Server 2012 8.0 (32-bit/64-bit) Microsoft Windows Server 2008 R2 7.5 (32-bit/64-bit) Microsoft Windows Server 2008 7.0 (32-bit/64-bit) Microsoft Net 4.0 Framework installed. The framework installation file is packaged with the AD Connect distribution. The Windows Server host must be in an Active Directory domain but, for security reasons, must not be a domain controller (DC). Port 443 (HTTPS) must be open. 2.2.1.4 Setting AD Connect as an identity repository Do not change the type of your identity bridge as you will lose the access to your cloud applications. PingOne Administration Desktop Setup Identity repository Click on [Change User store type]. Read the warning and click on [I Understand] to remove the existing configuration. Select AD Connect on the list and then click on [Next]. Click on [Download AD Connect] to save the binary file for installation. Choose the product key in accordance with the message below and click on [Next] Copyright Orange Business Services 12 of 89
Store your product key, as you will be asked for it during the installation of AD Connect Store Organization ID and go to AD Connect installation in 2.2.1.5 Click on Verify Installation and click on [Next]. 2.2.1.5 Installing the AD Connect binary You must have administrator rights on the host. Unzip the downloaded package. Right-click on the file run-as-administrator.bat and click on [Run as administrator]. Click on [Yes]. Copyright Orange Business Services 13 of 89
Click on [Next]. Select the installation type as [AD Connect] Ping recommends using only one AD Connect with provisioning capabilities on each Active Directory domain to avoid provisioning issues. If it is the first AD Connect in your environment, check the box Enable user provisioning. Otherwise leave this box unchecked. Then click on [Next]. Copyright Orange Business Services 14 of 89
Enter your activation product and the product key and then click on [Activate]. Once AD Connect has been activated, click on [Next]. Choose where PingOne AD Connect will be installed by clicking on [Change]. Then click on [Next]. Copyright Orange Business Services 15 of 89
Click on [Install]. Wait until the end of the installation. Copyright Orange Business Services 16 of 89
Click on [Finish] to close the wizard. Once installed, PingOne AD Connect light must be activated through the web interface. PingOne Administration Desktop Setup Identity repository Select PingOne AD Connect and then click-on [Setup >]. Copyright Orange Business Services 17 of 89
Then click on [Verify Installation]. Check the box Enable IWA if you want to enable Integrated Windows Authentication for your users. Specify your Intranet IP blocks if you have enabled IWA. CIDR notation is used (commadelimited) as the format. An example of this format is: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 Click on [Finish] to validate the parameters. 2.2.1.6 High availability With AD Connect light, high availability (automatic failover and load balancing) is handled by the PingOne datacenters, and requires no configuration or management on your part. You just have to install multiple instances of AD Connect as you did in the previous chapter ( 2.2.1.5). You will use the same Organization ID and the same Product Key. The status of the connection for each AD Connect instance is stored in and managed by PingOne. PingOne selects an AD Connect instance to use from the active list of instances and begins sending authentication requests to that AD Connect instance. The load is balanced among all instances of AD Connect. New instances of AD Connect are added to PingOne's active list of instances. 2.2.2 PingOne AD Connect Full with IIS 2.2.2.1 Processing steps for authentication These are the processing steps for a user authentication with AD Connect Full with IIS. Copyright Orange Business Services 18 of 89
2.2.2.2 Prerequisites 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) The PingOne server redirects the user to their corporate AD Connect with an HTTP redirect. 4) If the user is already authenticated on their corporate domain, the IIS will use IWA to authenticate the user with the Kerberos ticket stored on their machine. Otherwise their AD credentials will be requested by the IIS server (basic authentication). 5) Once the user is authenticated by the IIS server, AD Connect will get the user s attributes from the Active Directory. 6) AD Connect returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. 7) The browser automatically posts the HTML form back to the PingOne servers (sso.connect.pingidentity.com). 8) The PingOne servers validate the SAML response from AD Connect and redirect the user to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 9) The user gets access to their PingOne dock. The platform must be one of the following: Microsoft Windows Server 2012 with IIS 8.0 (32-bit/64-bit) Microsoft Windows Server 2008 R2 with IIS 7.5 (32-bit/64-bit) Copyright Orange Business Services 19 of 89
Microsoft Windows Server 2008 with IIS 7.0 (32-bit/64-bit) Microsoft Net 4.0 Framework must be installed. If needed, the framework installation file is packaged with the AD Connect distribution. The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC). The IIS Server role service must be installed. Windows Authentication role service and ASP.NET 4.5 (WebServer IIS -> WebServer-> Application Development ASP.NET 4.5) must be installed for IIS. Time synchronization must be set up on the Windows Server IIS host. Port 443 (HTTPS) must be the only open port. If you have users who will be using the PingOne mobile app, the IIS host name needs to be able to be resolved externally. A valid certificate issued by a well-known certification authority must be set up on your IIS server. 2.2.2.3 Deploying PingOne AD Connect from a DMZ If your users will access their PingOne dock from outside of your corporate network, your IIS host must be directly connected to the Internet, so you are advised to deploy the host in a DMZ. You will need to open the following ports on your DMZ/corporate network firewall: TCP and UDP are shown together in the table below. Depending on the firewall network device, you may need to add the TCP and UDP rules separately. Protocols Port numbers Description TCP/UDP 389, 636, 3268, 3269 These are the Lightweight Directory Access Protocol (LDAP) ports. AD Connect uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication. UDP 138 NetBIOS name resolution. TCP/UDP 445 SAM/LSA. UDP 123 NTP W32 Time. TCP/UDP 135, 49152-65535 RPC Endpoint Mapper. UDP 137 NetBios datagram Copyright Orange Business Services 20 of 89
TCP/UDP 88 This port belongs exclusively to Kerberos. AD Connect uses this port for off-network access when executing a single signon (SSO) event outside of the corporate network. TCP/UDP 464 This server port is also used by Kerberos (to set or change the password). It is of course also used to join the IIS (and AD Connect) host to the domain. TCP/UDP 53 The DNS service runs on this port. It s used to convert between URLs and IP addresses, and is also needed to join the IIS (and AD Connect) host to the domain. TCP 443 This port will receive the HTTPS requests from the users. 2.2.2.4 Setting AD Connect as an identity repository Do not change the type of your identity bridge as you will lose the access to your cloud applications. You can refer to the AD Connect light instructions provided in 2.2.1.4 as they are the same for the two versions of AD Connect 2.2.2.5 Obtaining a specific certificate for your IIS server You must have administrator rights on the host that runs AD Connect. Click on Run. Type inetmgr.exe and press [Enter]. The IIS manager console will open. Click on your IIS server name to get the Features view. Copyright Orange Business Services 21 of 89
On the IIS section click on the Server certificates icon: On the actions menu on the right-hand side, click on [Create Certificate Request ] Complete the field with your information. As this information will be shown on your certificate, be sure to enter the right values. In the common name field do not forget to enter the public URL of your IIS server, i.e. iisserver.mydomain.com Copyright Orange Business Services 22 of 89
Click on [Next]. Click on [Next]. Choose a filename for your certificate request. Click on [Finish]. Send your certificate request to a well-known public certification authority. Some charges may be applied. Once the certificate authority validates your request and sends your certificate, return to the IIS manager console. In the IIS section, click on the Server Certificates icon: Copyright Orange Business Services 23 of 89
In the actions menu on the right-hand side, click on [Complete Certificate Request ] Select the file containing the certificate provided by your certification authority. Enter a friendly name to identify your certificate. Select Web Hosting as a certificate store for the new certificate. Click on [OK]. Your new certificate should appear in the certificate list. Then the certificate must be set as the default certificate for https connections. On the left-hand side, expand the Sites item and click on [Default Web Site]. Then on the right-hand pane named Actions, click on [Bindings ]. Copyright Orange Business Services 24 of 89
Select the current line and click on [Edit ]. On the SSL certificate part, select your certificate. Click on [OK]. Now restart your IIS to validate the changes..click on your IIS server name. On the actions pane on the right, click on [Restart]. Copyright Orange Business Services 25 of 89
2.2.2.6 Installing the AD Connect binary You must have administrator rights on the host. Unzip the downloaded package. Right-click on the file run-as-administrator.bat and click on [Run as administrator]. Click on [Yes]. Click on [Next]. Copyright Orange Business Services 26 of 89
Select Full with IIS. Ping recommends using only one AD Connect with provisioning capabilities on each Active Directory domain to avoid provisioning issues. If it is the first AD Connect in your environment, check the box Enable user provisioning. Otherwise leave this box unchecked. Click on [Next]. Enter your activation product and the product key and then click on [Activate]. Copyright Orange Business Services 27 of 89
Once AD Connect has been activated, click on [Next]. Select the IIS Web Site to protect and click on [Next]. Copyright Orange Business Services 28 of 89
Choose where PingOne AD Connect will be installed by clicking on [Change]. Then click on [Next]. Click on [Install]. Copyright Orange Business Services 29 of 89
Wait until the end of the installation. Click on [Finish] to close the wizard. Copyright Orange Business Services 30 of 89
Once installed, PingOne AD Connect Full with IIS must be activated through the web interface. PingOne Administration Desktop Setup Identity repository Select PingOne AD Connect and then click on [Setup >]. Then click on [Verify Installation]. Modify the IIS Server URL to match your IIS server URL. Click on [Update]. Click on [Finish] to validate the parameters. 2.2.2.7 High availability If you are using AD Connect, you can skip this chapter. Copyright Orange Business Services 31 of 89
You must set up high availability if you expect to have large numbers of single sign-on (SSO) users for AD Connect. This chapter describes how to set up high availability for AD Connect Full with IIS using Microsoft Network Load Balancing (NLB) as the load-balancing and clustering solution. If you are using a load-balancing and clustering solution other than NLB, you can also apply these settings to your configuration by replacing the NLB-specific steps with those that match your solution. You will configure NLB clustering for AD Connect, using the example configuration shown in the illustration as a guideline. NLB is an optional Windows Server feature. Although you can use this process for other configurations, these instructions are for a minimal configuration, one Active Directory domain controller (DC) and two Windows Server IIS hosts. The IIS hosts need two NICs, one for the static IP used by NLB (NLB requires static IPs), the other for the dynamic IP used by the DC. The NLB-dedicated NICs for all IIS hosts should be in the same subnet. Install AD Connect on the IIS hosts (iis1.acme.com and ii2.acme.com). One of the IIS hosts will supply the signing certificate to be used on all other IIS hosts. We'll call this the master IIS host. On one of the IIS hosts (here we'll use iis1.acme.com), use the Services MMC to disable AD Connect Provisioner Service. This will be the master IIS host. Copyright Orange Business Services 32 of 89
The following steps will explain how to get the signing certificate from the master IIS host and how to import it to the other IIS hosts. On the master IIS host (iis1.acme.com), export the signing certificate. Open MMC, and from the File menu, select [Add/Remove Snap-in]. The Add or Remove Snap-ins dialog box is displayed. Select Certificates and click on [Add]. The Certificates Snap-in dialog box is displayed. Select Computer Account and click on [Next]. Copyright Orange Business Services 33 of 89
The Select Computer dialog box is displayed. Select Local computer. Click on [Finish]. Click on [OK]. The Certificates snap-in is displayed in MMC. Expand Certificates (Local Computer) + Personal and select Certificates. The certificates for the Local Computer account are displayed. Right-click the signing certificate (the certificate name includes the full domain name of the host) and select [All Tasks], then [Export]. The Certificate Export Wizard is displayed. Click on [Next]. Select [Yes, export the private key] and click on [Next]. Select [Personal Information Exchange PKCS #12 (.PFX)]. Check the box [Include all certificates in the certification path if possible]. Uncheck the box [Delete the private key if the export is successful]. Check the box [Export all extended properties]. Copyright Orange Business Services 34 of 89
Click on [Next]. Set a password to protect the private key and click on [Next]. Specify the file location and click on [Next]. Check the Certificate export wizard settings and click on [Finish] to export the certificate and the private key. The master IIS host signing certificate has been exported to the current user directory. On the other IIS hosts (iis2.acme.com), import this signing certificate. Follow the steps above to add the Certificates snap-in to MMC. Expand Certificates (Local Computer) + Trusted People. Copyright Orange Business Services 35 of 89
Right-click on Certificates and select All Tasks, Import. The Certificate Import Wizard is displayed. Follow the Certificate Import Wizard and select the signing certificate you exported from the master IIS host. The master IIS host signing certificate is now imported to the other IIS host. Repeat the same operations for other IIS hosts. After importing the signing certificate, it is necessary to grant the IIS process access to the signing keys. Open MMC and go to Certificates (Local Computer) + Personal + Certificates. Right-click on the master IIS host certificate that you imported and select All Tasks, then Manage private keys. The permissions dialog box is displayed. Click on Add, and in the entry box, enter the object name "IIS_IUSRS". The IIS_IUSRS is a built-in group that might be created as a local group. Change the location of the search scope to get this group from your local computer instead of your corporate Active Directory. Copyright Orange Business Services 36 of 89
Click on [OK]. Grant Full Control and Read permissions to IIS_IUSRS. The IIS host now has the necessary permissions to use the imported signing certificate. The AD Connect Web.config file on other IIS hosts (iis2.acme.com) must be updated to use the imported signing certificate. Edit the AD Connect file <installpath>\ping Identity\AD Connect\SSO\Web.config. Change the saml.signing.cert value to the name of the imported signing certificate, and save the file. AD Connect will now use the imported signing certificate. On each IIS host (iis1.acme.com and iis2.acme.com), install the Network Load Balancing feature. This is an optional feature for Windows Server. Copyright Orange Business Services 37 of 89
On each IIS host, configure network load balancing. Open Network Load Balancing Manager (in Administrative Tools) and choose to create a new cluster. Enter the static IP address (the NLB-dedicated NIC) of one of the IIS hosts. Copyright Orange Business Services 38 of 89
Select this interface, click on [Next], and assign a unique host ID. Click on [Add] to create a virtual cluster IP address for this interface. Specify an address in the same subnet as the NLB-dedicated NICs of your IIS hosts. The virtual cluster IP is the address you will use to access AD Connect. Do not use the IP addresses (static or dynamic) assigned to the IIS hosts. Copyright Orange Business Services 39 of 89
If you are deploying the IIS hosts in a VM (virtual machine), set the cluster operation mode to Multicast. Otherwise, set this mode to Unicast. Microsoft recommends using Unicast as the cluster operation mode. Unicast is compatible with all routers, switches and network devices. VMWare recommends using Multicast if you're configuring NLB clusters on VMs. Click on [Next]. (Optional) Set any port rules you consider necessary. Copyright Orange Business Services 40 of 89
Click on [Finish]. When the information for the new cluster node (the IIS host) indicates the node is in a Converged state, right-click on the node and select Add Host to Cluster. The IIS host is now configured for NLB. Repeat the above steps for each remaining IIS host (iis2.acme.com). You should now be able to power cycle a clustered IIS host, with automatic failover to another IIS host in the cluster. You also can add additional IIS hosts to the cluster as needed. 2.2.3 Provisioning with PingOne AD Connect With the two versions of AD Connect, it is possible to set up provisioning to automatically create/update and delete users in SaaS applications. This provisioning is enabled through group memberships. As some applications may not propose mechanisms for user provisioning (like API or SCIM messages), PingOne cannot create/update and delete users on all the SaaS applications. You will find the applications available for user provisioning in the PingOne app catalog as Copyright Orange Business Services 41 of 89
described in 6.1.1 Enable provisioning in PingOne These are the steps to enable provisioning in PingOne: Configure a connection to a SaaS that supports provisioning (e.g. Salesforce) in the PingOne admin portal ( 6.1.1). Associate the connection with one or more user groups on the User Groups page ( 6.2.3). Processing steps for user provisioning in SaaS Application. This is how the provisioning works with AD Connect: 1) When a SaaS application connection with provisioning is associated with one user group in the PingOne portal, AD Connect starts monitoring the corresponding Active Directory group. 2) AD Connect sends the PingOne provisioning service all the changes in that group (user added, modified or removed) through a SCIM message. 3) When the provisioning service receives updates from AD Connect, it will send out provisioning requests to the target SaaS application based on the connection configuration specified in the admin portal. 2.3 PingOne directory In this configuration, PingOne provides you with a directory to store your user account. You will have to administer the accounts in the PingOne Administration page. 2.3.1 Processing steps for authentication These are the processing steps for user authentication with the PingOne directory. Copyright Orange Business Services 42 of 89
1) The user tries to access the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) PingOne sends a login page to the user. The user sends their credentials to PingOne for authentication. 4) Once authenticated, the user is redirected to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 5) The user gets access to their PingOne dock. 2.3.2 Setting the PingOne directory as an identity bridge Go to the following page: PingOne Administration Desktop Setup Identity repository Select PingOne Directory and click on [Setup]. 2.3.3 Modifying the password policy for the PingOne directory users Once the PingOne directory is enabled in the PingOne environment, a password policy is applied for the new user accounts created. It is possible to modify it from the following page: PingOne Administration Desktop Setup Password policy Edit These are the parameters you can use for the password policy: Password Requirements Minimum Length The minimum number of characters required. Copyright Orange Business Services 43 of 89
Uppercase Characters Required Numbers Required The minimum number of uppercase characters required. The minimum number of numbers required. Special Required Block Words Characters Dictionary The minimum number of special characters required (such as, @ #! % &). If enabled, common dictionary words aren't allowed as passwords. Block Passwords Previous If enabled, previously used passwords aren't allowed. Password Expiry Password Duration First Notification Second Notification The number of days a password remains valid. The user will receive their first notification of an expiring password this number of days before expiry. (Days) The user will receive another notification of an expiring password this number of days before expiry. Password Lockout Failures for Lockout Lockout Duration Reset Failure Count The number of consecutive failed attempts to sign on needed to trigger an account lockout. The length of time (minutes) a user remains locked out. The length of time without user activity (in minutes) that's needed before the count of failed sign on attempts is reset to zero. 2.3.4 Creating users in the PingOne directory 2.3.4.1 Manually creating a user from the administration portal If the user account email access is a single sign-on (SSO) application, skip this chapter and go to the next chapter 2.3.4.2. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Users Click on [Add Users]. Copyright Orange Business Services 44 of 89
Click on [Create New User]. Enter the following information: o New Password * o Confirm New Password * o Username * o Title o First Name o Middle Name o Last Name o Suffix o Formatted Name o Email (work) * The fields with a red star (*) are mandatory. To add groups to the new user, click on [Add]. Search the groups needed and check the boxes to select them. Copyright Orange Business Services 45 of 89
Click on [Add]. Click on [Save]. The new user will receive an email. They will have to activate their account and set up a new password. After that, they will be marked as ACTIVE in PingOne. Once their account is activated, the user will receive a new email to confirm the activation. 2.3.4.2 Manually inviting a user from the administration portal (alternate email address possible) Using an alternate email address for the user is useful if the user account email access is a single sign-on (SSO) application protected by PingOne. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Click on [Add Users]. Click on [Invite New User]. Enter the following information: o Email Address (*) o Alternate Email Click on the small arrow next to [Send Invitation]. The user will receive a new email from PingOne with a unique link to create their account. If an alternate email address was entered, they will receive this mail in their alternate mailbox. They will have to create their account by entering mandatory attributes and set up a new password. After that, they will be marked as ACTIVE in PingOne. Copyright Orange Business Services 46 of 89
2.3.4.3 Re-sending an invitation for a newly created user If the user account email access is a single sign-on (SSO) application, skip this chapter and go to the next chapter. If a user doesn t receive their invitation, PingOne can resend it. However, before doing this, be sure that the PingOne notification email has not been sent to the spam folder. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on [Edit] at the end of the line. Click on [Resend e-mail]. 2.3.4.4 Re-sending an invitation to an alternate email address for a newly created user These instructions are useful if the user account email access is a single sign-on (SSO) application. If a user doesn t receive their invitation, PingOne can resend it. However, before doing this, be sure that the PingOne notification email has not been sent to the spam folder. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on [Edit] at the end of the line. Click on [Resend invitation to alternate email address]. Enter the alternate email address. Click on [Send]. Copyright Orange Business Services 47 of 89
2.3.5 Deleting a user from the PingOne directory Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on the small arrow near the [Edit] button at the end of the line. Click on [Delete]. 2.3.6 Disabling a user from the PingOne directory Only Active users can be disabled. Disabled users are not removed from the PingOne directory, but they are no longer allowed to connect to PingOne. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on the small arrow near the [Edit] button at the end of the line. Click on [Disable]. 2.3.7 Modifying a user You can modify a user and change their first name, last name or email address. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on [Edit]. Modify the necessary information. Click on [Save]. Copyright Orange Business Services 48 of 89
2.4 3rd party SAML 2.4.1 Processing steps for authentication These are the processing steps for user authentication with a 3 rd Party SAML. 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) The PingOne server redirects the user to the 3 rd party SAML IDP specified in PingOne with an HTTP redirect. 4) The 3 rd party SAML IDP authenticates the user. 5) The 3 rd party SAML IDP will get the user s attributes from the corporate user repository to build a valid SAML assertion. 6) The 3 rd party SAML IDP returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. 7) The browser automatically posts the HTML form back to the PingOne servers (sso.connect.pingidentity.com). 8) The PingOne servers validate the SAML response from the 3 rd party SAML IDP and redirect the user to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 9) The user gets access to their PingOne dock. 2.4.2 Configuration of the 3rd party SAML IDP As the configuration on the 3rd party SAML IDP side can be very complex and depends on the SAML IDP product, please contact the Orange Business Services team if you want to set Copyright Orange Business Services 49 of 89
up a 3rd party SAML IDP as your identity bridge. 2.4.3 Setting a 3rd party SAML IDP as identity bridge: PingOne Administration Desktop Setup Identity repository Select 3 rd Party SAML and click on [Setup]. Select the checkbox labeled Enable an account-specific Entity ID. Click on [Download PingOne metadata] and save the xml file. Send this metadata xml file to the 3rd party SAML IDP to enable the circle of trust. For more details about the circle of trust, go to the Flexible Identity Federation Quick start guide. The 3rd party SAML IDP must provide a new metadata file containing its information. Once you get this file, upload it to PingOne. PingOne Administration Desktop Setup Identity repository Select 3 rd Party SAML and click on [Edit]. Click on upload to send the file sent by the 3 rd party SAML IDP. Click on [Save configuration]. 2.5 PingFederate 2.5.1 Processing steps for authentication The processing steps for user authentication with PingFederate are similar to those for user authentication with 3 rd party SAML IDP. These processing steps are described in 2.4.1. 2.5.2 Configuration of PingFederate As the configuration of PingFederate can be very complex, please contact the Orange Business Services team if you want to set up PingFederate as your identity bridge. Copyright Orange Business Services 50 of 89
2.6 Google Apps for Work When Google Apps for Work is selected as an identity provider, OpenID Connect protocol is used instead of SAML for user authentication. This federation protocol is quite similar to SAML but based on JSON/REST protocol. OpenID Connect was designed for native apps and mobile applications whereas SAML was designed for web-based applications. The user experience is the same as the experience with SAML, but the user must authorize the service provider to access their information on the first connection. 2.6.1 Processing steps for authentication These are the processing steps for a user authentication with Google Apps for Work. 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) The PingOne server redirects the user to the Google Apps server for authentication. 4) The user enters their credentials in the login page provided by Google. 5) On the 1st connection, the user needs to authorize PingOne to access their Google Apps information (i.e.: their email address, full name and groups). 6) Google Apps provides an OpenID token and redirects (via HTTP redirect) the user to the PingOne servers. 7) The browser automatically posts the HTML form back to the PingOne servers (sso.connect.pingidentity.com). 8) The PingOne servers validate the OpenID token by contacting the Google Apps servers. 9) The Google Apps servers validate the OpenID token. 10) Once the OpenID token is validated, PingOne servers redirect the user to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 11) The user gets access to their PingOne dock. Copyright Orange Business Services 51 of 89
2.6.2 Authorization for PingOne When the user authenticates the first time, they will be asked by Google Apps for Work to authorize PingOne to access their information. This is the validation page: Without these authorizations, the user can not access the PingOne services. 2.6.3 Setting Google Apps as an identity provider 2.6.3.1 Preparing the Google Apps environment To enable SSO with Google Apps, some operations must be carried out on the Google Apps environment. Connect to the Google Apps environment. Go to the admin interface: On the admin console, click on [Security]. Copyright Orange Business Services 52 of 89
On the Security menu, go to Advanced settings-> Authentication and click on [Federated Login using OpenID]. Select the checkbox labeled Allow users to sign in to third party websites using OpenID. Click on [Save changes]. On the Security menu, go to Advanced settings and click on [Manage API client access]. In the Client Name field, enter the following value: o sso.connect.pingidentity.com Copyright Orange Business Services 53 of 89
In the One or More API Scopes field, enter the following value: Click on [Authorize]. o https://apps-apis.google.com/a/feeds/group/ On the Security menu, go to API reference -> API access and select the checkbox labeled Enable API access. Click on [Save changes]. Go to the admin interface: Click on [More controls] and then on [Admin Roles]: Click on [Create a new role]. In the name field, enter the following value: o ProvisioningAPI In the description field, enter the following value: Click on [Create]. o This is the admin role to enable the Provisioning API. Scroll down until you find the Provisioning APIs section, select the checkbox next to Groups and then the checkbox beneath Read. Copyright Orange Business Services 54 of 89
Click on [Save changes]. For every user in the Google Apps for Work domain, you must assign them to this new ProvisioningAPI role. Select Users from the menu bar. Select the user to which you want to assign the role. Click on [Admin roles and privileges]. Click on [Manage roles]. Select the ProvisioningAPI role from the dropdown list. Click on [Update roles]. Create a group named PingOne Users. Click on [More controls] and then on [Groups]: Click on [Create group]. In the name field, enter the following value: o PingOneUsers Copyright Orange Business Services 55 of 89
In the mail field, enter the following value: o pingoneusers@yourdomain.com In the description field, enter the following value: o This is the group for the PingOne users. Select the checkbox labeled Add all users within yourdomain.com to this group. Click on [Create]. 2.6.3.2 Preparing the PingOne environment Create the following group in PingOne: PingOne Administration Desktop Users User groups Click on [Add new group]. Enter PingOneUsers as the group name. Click on [Save]. Set Google Apps as identity bridge: Copyright Orange Business Services 56 of 89
PingOne Administration Desktop Setup Identity repository Select Google Apps and click on [Setup]. Enter your Google Apps domain name in the field labeled Google Apps Domain Name. Click on [Configure OAuth]. A pop-up window will open asking you to authenticate with your Google account: Enter the email and password of the Google domain administrator account and click on [Sign in]. The pop-up windows will ask for permissions: Copyright Orange Business Services 57 of 89
Click on [Accept]. The OAuth Configuration must be seen as Complete: Click on [Save]. 3 Basic use 3.1 Administrator connection to PingOne To connect to your administrator environment, go to the following URL: https://admin.pingone.com Enter your credentials Click on [Sign-On]. You will access the dashboard of your PingOne environment: Copyright Orange Business Services 58 of 89
The URL for user connections is displayed as the PingOne dock URL on the dashboard page. 3.2 User connection to the PingOne dock Users can access the PingOne dock only if the identity bridge is selected and configured. The URL of your PingOne dock can be found on the dashboard of your PingOne environment. See 3.1 for more details. With the PingOne directory as an identity bridge: The PingOne dock URL can also be found in the invitation mail for users from the PingOne directory. This mail is sent for every new user created, but only if the PingOne directory was selected as the identity bridge. 4 PingOne administration There are two ways to give administrative rights for PingOne. You can: Create specific administrator accounts. These accounts cannot be used by end users to access the PingOne dock or the applications protected by PingOne. Give administrative rights to users. These rights are given through their group membership in the identity bridge. 4.1 Creating administrator accounts These administrator accounts will not have access to the PingOne dock or the applications protected by PingOne. Copyright Orange Business Services 59 of 89
Four types of administrator accounts are available in PingOne: Global Admin SaaS Admin Directory Admin Service User Administrator These are the differences between them: Rights Global Admin SaaS Admin Directory Admin Service User Administrat or Add/Edit/Remove applications Add/Edit/Remove users Configure multi-factor authentication Get reports Change the identity bridge Change the display (logos/custom messages) Add administrator accounts To create Administrator accounts in PingOne, connect to your PingOne administration environment: PingOne Administration Desktop Account Administrators Click on [Add Administrator]. Enter the following information: o o o o First Name Last Name Email address Role (use the selector to choose between the 4 roles) Click on [Invite]. 4.2 Granting users access to the administration portal 4.2.1 With the PingOne directory as an identity bridge If the identity bridge selected in PingOne is the PingOne directory, three types of administrator accounts are available: User reader: this role can view users and groups in the PingOne directory. Copyright Orange Business Services 60 of 89
User manager: this role can create and modify the users in the PingOne directory. Group and Entitlement manager: this role has the same entitlements as the user manager plus the ability to create directory groups and change group membership. These three administrative roles are given to the users through their PingOne directory group membership. To give the groups these administrative roles, follow these instructions on your PingOne administration environment: PingOne Administration Desktop Users User Directory Groups On the group list, click on [Edit] near the group to modify. On the Directory Permissions part, select the directly applied role by selecting one of the following options: o No Access o User Reader o User Manager o Group and Entitlement Manager Click on [Save]. 4.2.2 With other identity bridges PingOne can use the group membership sent by the identity bridge to give your users access to the administration portal. To give an administrator access to your users, connect to your PingOne administration environment: PingOne Administration Desktop Setup Dock Configuration Edit Check the box Show advanced settings to display the Admin-Portal SSO item at the end of the web page. Enter the groups of your identity bridge to use for the administrators in the Global Administrator Group field. If you are using PingOne AD Connect as an identity bridge, enter the fully-distinguished names (DN) of the groups (for example: CN=admins,OU=Test,DC= ). Click on [Save changes]. Copyright Orange Business Services 61 of 89
4.3 Access to the PingOne administration environment through the PingOne dock (for users) When a user has administrative rights, a new application appears in their PingOne dock. A new item named Administration also appears in the top menu of the PingOne dock: The user just has to click on one of these elements to open the PingOne Administration page in a new tab. 5 Service customization 5.1 Customizing the PingOne dock The PingOne dock is a web portal that displays all the user applications. The customized elements are displayed in orange in the following diagram: Copyright Orange Business Services 62 of 89
These elements can be modified in: Setup Dock Configuration Edit Select the checkbox labeled Show advanced settings. Change the values. Click on [Save changes]. 5.2 Customizing the PingOne AD Connect full with a specific IIS login page If you are using AD Connect Full with IIS, it is possible to use a custom login page. Two steps are needed to perform this look and feel customization: Prepare the customization archive Install the customization archive 5.2.1 Preparing the customization archive The look & feel customization archive is an ordinary zip archive, named theme.zip, which contains the necessary HTML and related media files for login and error pages. The choice of folder layout for the archive is free. The only required files inside the zip archive are templates for login/error pages: login.html (in the root of archive) error.html (in the root of archive) Copyright Orange Business Services 63 of 89
changepassword.html (in the root of archive) passwordchanged.html (in the root of archive) Templates are free to include any js/graphics/css or other types of scripts packaged within the archive using relative links, for example: <link rel="stylesheet" media="all" type="text/css" href="css/screen.css "> <script src=" assets/js/script.js "></script> All image names referenced should be in lower case. Templates have to use substitution symbols to render dynamic content generated by AD Connect as described below. login.html template should use the following predefined names for authentication form fields: ad.username for username ad.password for password changepassword.html template should use the following predefined names for form fields: ad.username for username ad.password for current password ad.newpassword for new password ad.confirmpassword for new password confirmation 5.2.2 Substitution template symbols and constructions per page 5.2.2.1 login.html $action$ - will be replaced with actual URL to AD Connect where form data must be posted for authentication, for example: <form method="post" action="$action$"> </form> $error$ - will be replaced with an error message. If an error occurs, the $if(error)$ $endif$ will display it thanks to the HTML <div> tag. For example: $if(error)$ <div>$error$</div> $endif$ $username$ must be attached to input field for username value, will be used to retain value if error occurred, for example: <input id="username" type="text" size="36" name="ad.username" value="$username$" /> $changepassword_url$ will be replaced by the URL to the change password page, for example: Copyright Orange Business Services 64 of 89
<a href="$changepassword_url$">change my password</a> 5.2.2.2 error.html $ErrorMessage$ - will be replaced with actual error description, for example: <font face="arial"> $ErrorMessage$</font> 5.2.2.3 changepassword.html $action$ - will be replaced with the actual URL to AD Connect where form data must be posted for authentication, for example: <form method="post" action="$action$"> </form> $username$ must be attached to input field for username value, will be used to retain value if error occurred, for example: <input id="username" type="text" size="36" name="ad.username" value="$username$" /> $error$ will be replaced by the error message. If an error occurs, the $if(error)$ tag. For example: $endif$ will display it thanks to the HTML <div> $if(error)$ <div>$error$</div> $endif$ $msg$ will be replaced by the success message. If there is a success message to show, the $if(msg)$ $endif$ will display it thanks to the HTML <div> tag. For example: $if(msg)$ <div>$msg$</div> $endif$ $cancel_url$ cancel URL, to which to redirect user if cancel button pressed. If cancellation is possible, the $if(cancel_url)$ $endif$ will show this thanks to the HTML <div> tag. For example: $if(cancel_url)$ <a href="$cancel_url$" title="cancel">cancel</a> $endif$ 5.2.2.4 passwordchanged.html $resume_url$ resume URL, to which to redirect user if 'Continue' button pressed, for example: <a href="$resume_url$" class="button normal allow" title="continue">continue</a> Copyright Orange Business Services 65 of 89
5.2.3 Installing the customization archive To install the customization archive, rename the downloaded file "theme.zip" and copy it to the SSO application folder. The default location is: C:\Program Files (X86)\Ping Identity\ADconnect\SSO All the customization content should be part of the zip package and called "theme.zip". No IIS restart is required. 6 Managing applications in PingOne 6.1 Adding an application In PingOne, there are three ways to add an application. Once the application is added, do not forget to enable it for the users. Go to 6.2 to give them access. 6.1.1 Application from the PingOne catalog As the PingOne catalog contains many applications, it is not possible to describe all their configurations. Please follow the instructions provided by the PingOne catalog. To add an application using the PingOne application catalog, go to the following page in your PingOne administration environment. Applications Application Catalog In the Search field, start typing the name of the application to add. When the application is displayed, click on the arrow on the right-hand side of the table: A short description of the application will appear: Copyright Orange Business Services 66 of 89
Click on [Setup] to begin the configuration. Follow the application Service Provider's instructions to configure SSO for the application. Click on [Continue to Next Step]. 6.1.2 SAML application Use this configuration if you want to set up a SAML application that isn't in the application catalog. 6.1.2.1 From the application SSO URL Some applications provide an SSO URL that allows easy configuration of the SAML connections. If you do not have this URL, skip this chapter and go to 6.1.2.2. To add a new SAML application from an SSO URL, go to the following page in your PingOne administration environment. Applications My Applications Click on [Add Application] and select [New SAML Application]. Enter the Application Name and Application Description as they are required fields. For logos and icons, PNG is the only supported graphics format. Click on [Continue to Next Step]. The Application Configuration page is displayed. Click on [I have the SSO URL]. Enter the URL in the SSO URL field. PingOne will encode this URL, so do not encode it (for example, by using "&" rather than "&"). Click on [Save and Publish]. Copyright Orange Business Services 67 of 89
6.1.2.2 Without the application SSO URL If Google Apps is set up as the Identity bridge in your PingOne environment, do not add Google applications using this method. To add a new SAML application, go to the following page in your PingOne administration environment. Applications My Applications Click on [Add Application] and select [New SAML Application]. The Application Details page is displayed. Enter the Application Name and Application Description as they are required fields. For logos and icons, PNG is the only supported graphics format. Click on [Continue to Next Step]. The Application Configuration page is displayed. Provide the SAML configuration details for the application. a. Click on [Download] to retrieve the SAML Metadata for PingOne. This supplies the PingOne connection information to the application. b. To upload metadata from the SAML application, click on [Choose File] to upload the metadata file. The entries for ACS URL and Entity ID will then be supplied for you. If you don t upload the application metadata, you ll need to enter this information. c. For Verification Certificate, click on [Choose File] to upload the application s certificate. The remaining entries are optional, depending on your requirements. Click on [Continue to Next Step]. The SSO Attribute Mapping page is displayed. Modify or add any attribute mappings as necessary for the application. In most cases, the default attribute mappings are sufficient. These mappings assign your identity bridge attributes to the attributes provided by the Service Provider for the application. For each application attribute, it is possible to: o Click on the Required checkbox to designate an attribute(s) as required by the application. o Click in an entry box and select an identity bridge attribute from a dropdown list. o Click in an entry box and enter an identity bridge attribute. Copyright Orange Business Services 68 of 89
o Click the As Literal checkbox and in the entry box, enter a literal value to assign. o Click on [Advanced] and enter Advanced Attribute Mapping mode. o Click on [Add new attribute] to enter any additional attributes required by the application. You then have all of the choices above when configuring the attribute. When the configuration of attribute mappings is done, click on [Save & Publish]. The Review Setup page is displayed. Review the application connection information. Some of this information may be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne signing certificate and the PingOne SAML metadata (which has the certificate embedded). The SSO URL for the application is displayed on this page. This URL can be used to test SSO directly to the application without going through the PingOne dock. Click on [Finish] to complete the application setup. 6.1.3 Basic SSO application To use the basic SSO, users must add a browser extension. The supported browsers are: Internet Explorer 8 (Windows XP and 7), 9 (with Protected Mode disabled), 10 or later. Firefox, 2013 releases or later. Chrome, 2013 releases or later. To add a basic SSO application, go to the following page in your PingOne administration environment. PingOne Administration Desktop Applications My Applications Click on [Add Application] and select [Add New Basic SSO Application]. Click on [Begin] to launch the wizard for adding new Basic SSO applications. The wizard will guide you to configure the application. 6.2 User management for applications 6.2.1 Creating groups in PingOne Directory With PingOne directory set as an identity bridge, it is possible to create groups to easily manage the users access to your PingOne protected applications. PingOne Administration Desktop Users User directory Groups Copyright Orange Business Services 69 of 89
Click on [Add group]. Enter a name for the new group. Select the Directory Permissions to give administrative rights to the group. For more details about these administrative rights, see chapter 4.2.1. Click on [Save]. 6.2.2 Adding a group in PingOne (except for PingOne directory) To add a user group in PingOne, go to the following page: PingOne Administration Desktop Users User Groups Click on [Add New Groups]. Enter the name of the group. If AD Connect is selected as an identity bridge, enter the full distinguished name of the corresponding Active Directory Group (i.e. CN=ApplicationGroup,OU=PingUsers,DC=mydomain,DC=com).. Click on [Save]. 6.2.3 Authorizing group access to applications To authorize a user group to access applications, go to the following page: PingOne Administration Desktop Users User Groups Select the group needed and click on [Edit]. Click on the checkbox next to the application needed for this group. Click on [Save]. 7 PingOne browser extension The basic SSO user experience needs a specific browser extension to be used. You can let your users install the plugins manually or use automatic deployment. 7.1 Manual setup of the PingOne browser extension Manual installation is described in the User guide. 7.2 Automatic installation through Windows GPO (on Windows domains only) The PingOne browser extension can be installed on individual desktops by users, or it can also be deployed silently across an enterprise using Windows Group Policy Objects (GPOs). To deploy the PingOne browser extension for Internet Explorer using a GPO, the following steps may be used: Copyright Orange Business Services 70 of 89
Create a shared network folder, which all target machines can access. Download and copy the browser extension installer file (PingOne-Extension.msi) into this shared folder. The locations of the browser extension are listed by browser type below. Chrome: Firefox: https://chrome.google.com/webstore/detail/pingoneextension/hbikchkhjggjedcpikghdfecmmcaalfm https://s3-us-west-2.amazonaws.com/ping-browser-extension/prod/firefox/pingone- Extension.xpi Internet Explorer x86: Internet Explorer x64: https://s3-us-west-2.amazonaws.com/ping-browser-extension/prod/ie/pingone-extensionx86.msi https://s3-us-west-2.amazonaws.com/ping-browser-extension/prod/ie/pingone-extensionx64.msi Open the Group Policy Management console to create a new group policy. Click on [Start- > Run]. Type gpmc.msc and click on [OK]. The Group policy management console will open. Right-click on Group Policy Objects and then click on [New]: Copyright Orange Business Services 71 of 89
Give a name to the GPO: Click on [OK]. Highlight the newly created Group Policy, then right-click and select the [Edit] option: Copyright Orange Business Services 72 of 89
In the Editor window, navigate to [Computer Configuration -> Policies -> Software Settings -> Software Installation]. Right-click on [Software Installation] to display a pop-up menu, then select [New -> Package...]: Navigate to the shared folder where the PingOne-Extension.msi installer file has been copied and select the installer file: Copyright Orange Business Services 73 of 89
Return to the Group Policy Management window to select the organizational unit (OU) to which the new browser extension GPO will be applied: The new policy will be applied to each node that resides in the target OU. The installation process will occur without user intervention. However, the user will be prompted to enter their Privacy Key on the initial post-installation launch of the PingOne dock URL: Copyright Orange Business Services 74 of 89
Once the Privacy Key has been entered, the user is ready for Basic SSO activity. 8 Enabling IWA with browser clients (AD Connect) With Integrated Windows Authentication (IWA), the users do not have to re-authenticate after their first login on their Windows desktop (on the internal network only). They can access their corporate application with a simple click. To enable it, their web browsers need to be modified. 8.1 Enabling IWA in the PingOne admin portal PingOne Administration Desktop Setup Identity Repository Click on the pencil to edit the AD Connect configuration Copyright Orange Business Services 75 of 89
Click on [Edit] on the line AD Connect configuration Then in the AD Connect Options part, check Enable IWA. In the Intranet IP Blocks, enter your internal IP addresses as they will be seen from the Internet. Click on [Save]. 8.2 Enabling IWA for Mozilla Firefox Open the Mozilla Firefox browser. In the address bar, enter about:config and hit Return. Copyright Orange Business Services 76 of 89
Note: If prompted with a warning about changing these options, indicate that you are sure and want to continue. Filter for network.negotiate-auth.trusted-uris. Enter the names of your AD Connect instances. Do not use FQDN names, and use the comma to separate the different values if you have multiple AD Connect instances (for example agent2008r2,agent2012r2). Filter for network.automatic-ntlm-auth.trusted-uris. Enter the names of your AD Connect instances. Do not use FQDN names, and use the comma to separate the different values if you have multiple AD Connect instances (for example agent2008r2, agent2012r2). Filter for network.automatic-ntlm-auth.allow-non-fqdn. Double-click on it to set the value to true. 8.3 Enabling IWA for Internet Explorer Internet Explorer web browsers must be configured as follows: Open the Internet options: Copyright Orange Business Services 77 of 89
Select the [Security] tab: Select [Local intranet]: Click on [Custom level ]. In the Security Settings dialog box, scroll down to User Authentication and select [Automatic logon only in Intranet zone]. Click on [OK]. Click on the [Advanced] tab. Scroll down to the Security section. Select [Enable Integrated Windows Authentication]: Copyright Orange Business Services 78 of 89
Click on [OK] to validate. If Enable Integrated Windows Authentication was not selected before, the computer must be restarted. 8.4 Enabling IWA for Google Chrome Google Chrome uses the same parameters as Internet Explorer. To configure IWA with Google Chrome, follow the steps described in the previous chapter 8.3. 9 Reports Each PingOne subsystem logs all transactions. Each customer has access to their own reports from their PingOne Administration Desktop. Customers can get reports: For all the transactions (global view). For a specific user s transactions. 9.1 Global reports 9.1.1 Displaying the global reports To display the listing of current transactions for your environment, go to the following page: PingOne Administration Desktop Dashboard Reports This page lists the transactions currently logged by the PingOne subsystems. The transactions are sorted in descending order, beginning with the most recent transaction. You can refresh the page to display any more recent transactions. The transactions of the last 24 hours are returned when the page is rendered, unless you specify date and time filter criteria. All dates and times are for your local time zone. In the top panel of the report are: Copyright Orange Business Services 79 of 89
Categories. A dropdown list of the PingOne services. Select a service to limit the search to the users of that service. Subject. The unique identifier for a user. Depending upon the identity provider, a username or email address. This is the Subject attribute used in the SAML assertion from the identity provider. The search is dynamic, and begins filtering the search results as you type. From...To. Date and time entry fields for you to filter the set of transactions. You can enter the From and To date and time manually or use the date/time selector button. The report columns are the following: Timestamp. The date and time of the transaction. The format is: MM/DD/YYYY HH:mm:ss. Code/Key. A unique identifier for the type of transaction. Subsystem. One of the PingOne subsystems. This can be: Provisioning: The user provisioning subsystem. SSO: The single sign-on (SSO) processing subsystem for Federated SSO. Basic SSO: The SSO processing subsystem for Basic SSO. AD Connect: The AD Connect subsystem. Message. The transaction message logged by the subsystem. The content is the message and transaction metadata. You can click on a transaction message value to display more of the message. A copy-to-clipboard button is located in the lower left corner of the displayed message. Using this, you can copy the entire message to your clipboard. Subject. The unique identifier for a user. Depending upon the identity provider, a username or email address. This is the Subject attribute used in the SAML assertion from the identity provider. 9.1.2 Downloading the global reports It is possible to download the range of data displayed as a CSV file. This file will contain the same report columns as the web page. To download the range of data displayed: Click on the Download button to get the transaction reports. Reports are limited to 65,000 rows. All reports are in CSV format. 9.2 Information logged by the Flexible Identity Federation service Each time a user accesses a SaaS application through the PingOne service, some information is recorded by Flexible Identity Federation. The following paragraphs describe the information recorded based on the connection to the SaaS application (Federated or Basic SSO). Copyright Orange Business Services 80 of 89
9.2.1 Federated SSO transaction This is the information logged by Flexible Identity Federation when a user signs in to PingOne to access a Federated SSO application. Parameters (date) TOKEN SUBJECT Description The date and time of the SSO transaction. The user ID we send to the Service Provider (SP). SUBJECT_FROM_IDP The user ID returned by the identity bridge. TOKEN ASSERTIONID IP A generated ID used to retrieve SSO attributes from PingOne. Limited to one-time use. The ID for the SAML assertion from the identity bridge. The user's IP address for this SSO transaction. AGENT_ID SAAS_DOMAIN SAAS_ID SP_ACCOUNT_ID SP_ACCOUNT_NAME IDP_ID IDP_ACCOUNT_ID IDP_ACCOUNT_NAME ACCOUNT_REGION FIRST_NAME_FROM_IDP LAST_NAME_FROM_IDP EMAIL_FROM_IDP An ID assigned to the user's client or agent used for SSO (generally a browser). If specified, the host name or domain name for the user application. The ID assigned to the user application. The PingOne account ID for the SP. The name assigned to the SP account in PingOne. The identity bridge ID used by the SP to identify the identity bridge. The unique account ID for the identity bridge in PingOne. The name of the identity bridge in PingOne. The region of the identity bridge. The user's first name as assigned by the IdP. The user's last name as assigned by the IdP. The user's email address as assigned by the IdP. Copyright Orange Business Services 81 of 89
STATUS ERROR_CODE The status of the SSO transaction. Contains the error information if an error occurs. 9.2.2 Basic SSO transaction This is the information logged by Flexible Identity Federation when a user signs in to PingOne to access a Basic SSO application. Parameters (date) CDP SUBJECT Description The date and time of the SSO transaction. The user ID we send to the Service Provider (SP). SUBJECT_FROM_IDP The user ID returned by the identity bridge. IP The user's IP address for this SSO transaction. CONNECTION_ID SAAS_ID A unique ID for the connection we establish between the identity bridge and the application. The ID assigned to the user application. SP_ACCOUNT_ID SP_ACCOUNT_NAME TARGET_RESOURCE IDP_ID IDP_ACCOUNT_ID IDP_ACCOUNT_NAME FIRST_NAME_FROM_IDP LAST_NAME_FROM_IDP EMAIL_FROM_IDP STATUS The PingOne account ID for the SP. The name assigned to the SP account in PingOne. The URL used for the SSO transaction. The identity bridge ID used by the SP to identify the identity bridge. The unique account ID for the identity bridge in PingOne. The name of the identity bridge in PingOne. The user's first name as assigned by the IdP. The user's last name as assigned by the IdP. The user's email address as assigned by the IdP. The status of the SSO transaction. Copyright Orange Business Services 82 of 89
ERROR_CODE Contains the error information if an error occurs. 10 Security 10.1 IP addresses used by the PingOne services As PingOne is hosted in the AWS datacenter, the infrastructure network is supposed to be modified each time a new virtual instance is added to support more user traffic or new endpoints. Nevertheless, IP addresses used by PingOne services can be listed by using a shell script provided in 11.5. Filtering IP addresses is possible, but we do not recommend it if firewall filtering is static and not dynamically calculated from the endpoint fully qualified names. 10.2 PingOne endpoints These are the PingOne endpoints that can be filtered on port TCP 443: PingOne endpoints PingID Authenticator PingOne dock URL authenticator.pingone.com authenticator.pingone.eu desktop.pingone.com desktop.pingone.eu PingID IdP idpxnyl3m.pingidentity.com bodxr5jgf.pingidentity.com CloudDirectory Login SCIM provisioning endpoints Token Processor Systems Admin portal login.pingone.com login.pingone.eu scim.connect.pingidentity.com scim.pingone.eu sso.connect.pingidentity.com admin.pingone.com admin.pingone.eu Office365 connect365.pingone.com connect365.pingone.eu PingOne Directory directory-api.pingone.com Copyright Orange Business Services 83 of 89
API AD Connect den-routingsvc.pingone.com ore-routingsvc.pingone.com Other connect.pingidentity.com connect.pingone.eu desktop.connect.pingidentity.com sso.connect.pingidentity.com 11 Troubleshooting 11.1 Authentication with PingOne AD Connect Full with IIS not working Do you get the login page? Check if the IIS server is started and available from inside and outside your corporate network. Check also if the following Windows services are started: You will need administrator rights on the Windows server. o Click on [Start]. o Click on [Run]. o Type services.msc. o Click on [OK]. o Check if the 3 Windows services are started: AD Connect Configuration Service. AD Connect Provisioner Service. AD Connect Software Updates Service. One user could not connect with PingOne AD Connect Full with IIS Active Directory disabled accounts cannot connect to PingOne with PingOne AD Connect Full with IIS. Check with your Active Directory administrator if this account is not disabled. Copyright Orange Business Services 84 of 89
Users have access to the login page but no one can connect. Check if the Windows servers hosting the PingOne AD Connect Full with IIS can connect to the corporate Active Directory domain controllers. 11.2 Authentication with PingOne AD Connect not working Users have access to the login page but no one can connect. Check if the Windows servers hosting the PingOne AD Connect light can connect to the corporate Active Directory domain controllers. Check if the Internet connections (TCP port 80 and 443) are open on the server that hosts the PingOne AD Connect light. Check also if the following Windows services are started: You will need administrator rights on the Windows server. o Click on [Start]. o Click on [Run]. o Type services.msc. o Click on [OK]. 11.3 SAML assertion o Check if the 3 Windows services are started: AD Connect Authentication Agent Service. AD Connect Provisioner Service. AD Connect Software Updates Service. To better understand the exchanges between the IDP and the SP, this is the content of a valid SAML assertion: Destination="https://www.google.com/a/cloud- <saml:assertion orange.net/acs" IssueInstant="2014-01-27T09:34:12.059Z" ID="ID..." Version="2.0"> <saml:issuer> https://idp.mysecureauthentication.com/</saml:issuer> <ds:signature>fdsgsg.</ds:signature> <saml:subject> <saml:nameid Format="urn:oasis:names"> user1@cloud-orange.net </saml:nameid> Copyright Orange Business Services 85 of 89
</saml:subject> <Conditions NotBefore="2014-01-27T08:58:05.427Z" NotOnOrAfter="2014-01-27T09:58:05.427Z"> </Conditions> <AttributeStatement> <Attribute Name="SCIM.displayName"> <AttributeValue>user1</AttributeValue> </Attribute> </AttributeStatement> </saml:assertion> The assertion item gives standard information: Destination: URL of the service provider. IssueInstant: When the assertion was made. ID: Unique number to identify the assertion. Version: Version of SAML used (2.0). <saml:assertion Destination="https://www.google.com/a/cloudorange.net/acs" IssueInstant="2014-01-27T09:34:12.059Z" ID="ID..." Version="2.0"> The issuer item defines the Identity provider who has authenticated the user. <saml:issuer>https://idp.mysecureauthentication.com/</saml:issuer> The assertion should be digitally signed with the private key of the IDP certificate to avoid usurpations. The signature is stored in the signature item. For example, if one character is modified, the SAML assertion becomes invalid as the signature is not the same. The signature must be checked by the Service Provider. <ds:signature>fdsgsg.</ds:signature> The subject and the nameid elements identify the user. It could be an email address, UPN <saml:subject> <saml:nameid Format="urn:oasis:names"> user1@cloud-orange.net Copyright Orange Business Services 86 of 89
</saml:subject> </saml:nameid> The condition items guaranty the validity of the assertion (time, audience ). Conditions must be verified by SP to avoid malicious reuse of the SAML assertion. <Conditions NotBefore="2014-01-27T08:58:05.427Z" NotOnOrAfter="2014-01-27T09:58:05.427Z"> </Conditions> The AttributeStatement allows the IDP to provide additional user information (first name, last name, office number ) to the SP. <AttributeStatement> <Attribute Name="SCIM.displayName"> <AttributeValue>user1</AttributeValue> </Attribute> </AttributeStatement> This list of assertion items is not fully exhaustive but contains the principal and the mandatory items used in SAML assertions. 11.4 SAML tracer SAML tracer is a Firefox plugin that helps you to view and debug SAML assertions. Download and install the SAML tracer plugin on Firefox: https://addons.mozilla.org/fr/firefox/addon/saml-tracer/ Before each trace, restart the web browser in order to reset potential running SAML sessions and clear the web cookies. Before browsing the first webpage, start the SAML tracer window (Firefox menu/tools/saml tracer or other SAML tracer) Go to the SP webpage (SP: Service Provider, the customer s application) > A first SAML packet should appear in the tracer window. Usually, the URL will be automatically redirected to the IdP (Identity Provider), that will appear in the URL bar and SAML tracer. The user successfully authenticates against their identity bridge. They will then be redirected again to SP > another SAML packet should appear. Copyright Orange Business Services 87 of 89
11.5 PingOne service IP address The script below obtains information about IP addresses used in the AWS infrastructure. #!/bin/bash #set -x #--- # Updated as of 20140917 -- JMS # Please note, some services listed below are listed # for completeness' sake. Services such as # sso.pingone.eu shouldn't be explicitly called by customers # as there are a number of these services which are globally # load balanced. Thus, while they appear in the.eu domain, # they are not explicitly reserved for EU-only customers. cname_list=" admin-api-689220468.eu-west-1.elb.amazonaws.com admin-api-885824033.us-west-2.elb.amazonaws.com directoryapi-lb-den-shard01.pingone.com cid-api-265445945.us-west-2.elb.amazonaws.com sso-office365-1703357533.us-west-2.elb.amazonaws.com o365-lb-den-shard01.pingone.com cid-api-421076185.eu-west-1.elb.amazonaws.com sso-office365-385738718.eu-west-1.elb.amazonaws.com " tld_list=" connect.pingidentity.com admin.pingone.com desktop.pingone.com desktop.connect.pingidentity.com sso.connect.pingidentity.com scim.connect.pingidentity.com connect365.pingone.com directory-api.pingone.com Copyright Orange Business Services 88 of 89
login.pingone.com authenticator.pingone.com idpxnyl3m.pingidentity.com bodxr5jgf.pingidentity.com admin-api.pingone.com authenticator.pingone.eu connect.pingone.eu directory-api.pingone.eu scim.pingone.eu login.pingone.eu admin.pingone.eu connect365.pingone.eu desktop.pingone.eu sso.pingone.eu den-routingsvc.pingone.com ore-routingsvc.pingone.com " echo 'Please note, some PingOne Services Use Incapsula as a Proxy Service.' echo 'For a list of Incapsula Endpoints to whitelist' echo 'Please see the following URL:' echo 'https://incapsula.zendesk.com/hc/en-us/articles/200627570-restricting-directaccess-to-your-website-incapsula-s-ip-addresses-' echo '############## / ###############' echo "CNAME LISTS:" for url in $cname_list; do if [[ $url =~ /^#/ ]]; then next; fi key=$url value=$(dig +short $url tr "\n" ",") echo "$key: $value" done echo '############## / ###############' echo "Top Level Domain List: (COULD BE DIFFERENT DEPENDING ON YOUR GEO-LOCATION AND DNS)" for url in $tld_list; do if [[ $url =~ /^#/ ]]; then next; fi key=$url value=$(dig +short $url tr "\n" ",") echo "$key: $value" done echo '' echo '############## / ###############' echo '' echo 'Format is: (lookup_domain: cname[if any], ip, ip,...)' echo 'PLEASE NOTE THIS IS NOT A SUPPORTED SCRIPT, MAY CHANGE AS WE ADD AND REMOVE DOMAIN NAMES!' echo 'Your locally resolved addresses (i.e. checking what DNS returns from YOUR COMPUTER), may be different in a different part of the world with global load balancing. Make sure you run this script on or next to the machine you want to verify.' Copyright Orange Business Services 89 of 89