You are here

Configuring PingFederate to work with Alfresco SAML SSO

As well as enabling SAML SSO in Alfresco, you also need to configure the PingFederate identity provider to work with the Alfresco SAML SSO.
Note: The following steps are example instructions to help you configure PingFederate. For detailed configuration information see the PingFederate documentation.
  1. Login to your PingFederate environment as the administrator.
  2. Create your service provider connection (in this instance, Alfresco is your service provider). To create a new service provider connection, click Create New under My IdP Configuration > SP Connections and complete the following tasks on each of the SP Connection tabs.

    • Connection Type tab
      • Use this tab to specify the type of connection you want to establish between PingFederate and Alfresco. Ensure that the Browser SSO Profiles checkbox is selected and click Next.
    • Connection Options tab
      • Ensure that the Browser SSO checkbox is selected and click Next.
    • Import Metadata tab
      • Use this tab to import metadata from Alfresco. This is the same metadata that you have downloaded in Step 6 of Configuring SAML Settings for SSO. Click Browse and select alfrescoSamlSpMetadata.xml (Alfresco as a SP provides metadata in the alfrescoSamlSpMetadata.xml file). You can download this file from the Single Sign-on page in Alfresco (ensure that you are logged on to Alfresco as an administrator before you try to download this file). Click Next. The Metadata summary page is displayed, click Next.
    • General Info tab
      • Use this tab to provide general information about the connection you are creating. Provide the Connection ID and the Connection Name for your connection. Ensure that the Base URL is pointing to your instance of Share. Optionally, you can also provide contact information. Use this tab to set the level of transaction logging you need for Alfresco. Ensure that Standard is selected as the Logging Mode. Click Next and configure your browser settings using the Browser SSO tabs .
  3. Alfresco uses Web browser and HTTP to setup message transfers between itself and PingFederate. To configure your browser settings, click Configure SSO and complete the following tasks on each of the Browser SSO tabs.

    • SAML Profiles tab
      • Use this tab to select the SAML profiles you require to configure your connections. Alfresco uses all the SSO and SLO profiles available. Select all the four available profiles on this tab and click Next.
    • Assertion Lifetime tab
      • Use this tab to configure the time for which an assertion is valid. A SAML assertion is an XML document that contains authentication, authorization, and attribute information. Each assertion has validity time period. Accept the default and click Next. You now need to configure your assertion creation.
  4. Configure your assertion creation. Configuring assertions involves specifying how PingFederate obtains user-authentication information and uses it to create assertions for Alfresco. This includes choosing an identity mapping method, defining the attribute contract for Alfresco and configuring adapters. To configure assertions for Alfresco, click Configure Assertion Creation in the Assertion Creation tab and complete the following tasks on each of the Assertion Creation tabs.

    • Identity Mapping tab
      • Use this tab to associate remote users authenticated by PingFederate with user accounts local to Alfresco. Ensure that the Standard mapping is selected and click Next.
    • Attribute Contract tab
      • Use this tab to define attribute contract. An attribute contract contains user attributes that will be included in the SAML assertions for this connection.
      • Choose urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified as the subject name format for the SAML_SUBJECT attribute contract.
        Note: The contract includes the default SAML_SUBJECT, which identifies the user in the assertion. This is because you used the standard identity mapping.
      • Extend the Contract by adding an email part to it. Type Email in the Extend the Contract text box. Choose urn:oasis:names:tc:SAML:2.0:attrname-format:basic. as the attribute name format. Click Add. Notice that the details have now been added (they appear on the screen). Click Next.
  5. Configure your IdP adapter mapping. IdP adapters are used for user authentication in the single sign-on process. When an Alfresco user puts in his credentials, his user attributes are returned to PingFederate. To configure IdP adapter mapping for Alfresco, click Map New Adapter Instance in the Identity Mapping tab and complete the following tasks on each of the IdP Adapter Mapping tabs.

    • Adapter Instance tab
      • Use this tab to set up an adapter instance for this connection. An adapter instance is a configured and deployed adapter. Choose IdP Adapter from the Adapter Instance drop-down box and click Next.
    • Assertion Mapping tab
      • Use this tab to set up an assertion mapping. Setting up assertion mappings involves defining data stores that you want to use to look up adapter contract values. Ensure Use only Adapter Contract values in the SAML assertion is selected. Click Next.
    • Attribute Contract Fulfilment tab
      • Use this tab to map each attribute to fulfill the Attribute Contract from the sources.
      • Select Adapter as the Source for the Email attribute contract.
      • Select email as the Value for the Email attribute contract.
      • Select Adapter as the Source for the SAML_SUBJECT attribute contract.
      • Select subject as the Value for the SAML_SUBJECT attribute contract. Click Next.
    • Issuance Criteria tab
      • Use this tab to configure criteria to determine whether users are authorized to access Alfresco resources. This information is optional and is not required for Alfresco. Click Next. Click Done.
      • Click Next. Click Done. You will be redirected to the Browser SSO tab.
  6. Configure bindings, endpoints, and other settings needed for SAML profiles. Click Protocol Settings in the Browser SSO tab and complete the following tasks on each of the Protocol Settings tabs.

    • Assertion Consumer Service URL tab
      • Use this tab to associate bindings to the Assertion Customer Service Endpoint where Alfresco will receive assertions. Select POST from the Binding drop-down list and type /share/-your SAML-enabled network-/saml/authnresponse in the Endpoint URL field. Click Add. Click Next.
    • SLO Service URLs tab
      • Use this tab to associate bindings to the endpoints where Alfresco receives logout requests when a Single Log-out (SLO) request is initiated by PingFederate and where PingFederate sends SLO responses. Select POST from the Binding drop-down list and type /share/-your SAML-enabled network-/saml/logoutrequest and https://-your server-/share/-your SAML-enabled network-/saml/logoutresponse in the Endpoint URL and Response URL fields, respectively. Click Add. Click Next.
    • Allowable SAML Bindings tab
      • Use this tab to select the bindings you want to Alfresco to send to PingFederate when sending messages. Ensure that only POST is selected as the binding type. Click Next.
    • Signature Policy tab
      • Use this tab to provide options for controlling digital signatures for SSO. Accept the default and click Next.
    • Encryption Policy tab
      • Use this tab to configure encryption of all or part of an assertion. Ensure that None is selected and click Next. Click Done.
      • Click Next. Click Done.
  7. Configure security settings for messaging between PingFederate and Alfresco. Click Configure Credentials in the Credentials tab and complete the following tasks on each of the Credentials tabs.

    • Digital Signature Settings tab
      • Use this tab to specify the certificate that you will use to sign assertions and SLO messages for Alfresco. This certificate must be the certificate you have previously uploaded into Alfresco as shown in Configuring SAML settings for SSO.
    • Signature Verification Settings tab
      • Use this tab to specify the certificate used to validate Alfresco SAML messages. PingFederate provides two options for signature verification. Choose the Unanchored option. Click Browse to select Alfresco's public certificate and then click Extract.
      • Click Next. The Summary screen is displayed. You can review or edit your credentials configuration here.
      • When you finish editing the existing settings, click Done on the Summary screen and then Save on the  Credentials screen.
  8. Ensure that you've activated your connection.
You've now successfully configured PingFederate to work with Alfresco SAML SSO. Try testing SAML settings to make sure everythings set up ok.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.