This page provides information on how to configure Corporate Sign in in Chaos services with PingFederate.
In this section we explore how you can integrate your PingFederate identity provider with Chaos, so that your employees benefit from the Corporate Sign In functionality.
Before doing the steps in this section, make sure to reach out to Chaos first to request the Corporate Sign In feature.
Chaos to PingFederate communication
The communication link between Chaos and PingFederate goes over a TLS connection. In order for this communication to be successful PingFederate must present a trusted SSL certificate.
The following sections assume you have PingFederate installed and Outbound Provisioning enabled. This setup has been verified against PingFederate version 10.
In addition to the basic installation you need to install Ping’s official SCIM Connector. PingFederate only supports SCIM version 1.1 which is not compatible with SCIM version 2.0 that Chaos uses. The connector will add support for SCIM version 2 to PingFederate Outbound provisioning capabilities.
Please consult PingFederate’s installation and configuration documentation in case you need help.
Configure OpenID-Connect policy
This step is needed so that the returned OAuth tokens contain the required claims with the information, taken from the correct LDAP attributes.
In PingFederate’s administrative UI go to Applications > OAuth > OpenID Connect Policy Management and click Add Policy.
A unique identifier of the policy
A unique and recognizable name for this policy
Access Token Manager
JSON Web Tokens
INCLUDE USER INFO IN ID TOKEN
Under Attribute Contract leave only email, family_name and given_name:
Under Attribute Scopes add profile and select the email attribute manually. Don’t forget to press Add.
Under Attribute Sources & User Lookup, click Add Attribute Source. Fill in the following information for the attribute source datastore:
Attribute Source ID
A unique identifier of the attribute source
Attribute Source Description
A description for the attribute source
Active Data Store
This will automatically fill in the store type as LDAP.
Under LDAP Directory Search tab fill in the following:
Attributes to return from search:
Select <Show all attributes> and add the following attributes:
Under LDAP Filter put the following as filter:
Back on the OIDC Policy management under Contract Fulfillment select the source to take the corresponding OAuth claims from as follows:
Go to Summary page and click Save.
Creating an OAuth client in PingFederate
Open PingFederate’s administrative UI, go to Applications > OAuth > Clients and create a New Client.
Fill in the following fields:
The <client id>
A unique and recognizable name
After selecting this option a new field called Client Secret will be displayed underneath
The <client secret>
Allowed Grant Types
OpenID Connect > Policy
The policy, created in the previous section
The <client id> and <client secret> are provided by Chaos during the onboarding process.
Configure User datastore
In this guide we are using Ping Identity’s own LDAP solution - PingDirectory.
If your setup depends on another user repository type, some steps may be different. To start with LDAP navigate to System > Data & Credential Stores > Data Stores and Add New Data Store.
Pick a unique name and select LDAP as store type. Follow the instructions in PingFederate’s documentation on how to configure an LDAP connection.
Create a SCIM SP Connection
In Applications > Integration > SP Connections click Create Connection.
Select Do not use a template for this connection and click Next.
On the Connection Type tab select Outbound Provisioning and from the new drop-down menu select Type: SCIM Connector.
The SCIM Connector type will only show if you’ve successfully installed the SCIM Connector from the PingFederate configuration section above and restarted PingFederate after doing so. Using SCIM 1.1 Service Provider will not work.
In the General Info tab fill in:
Partner’s Entity ID
A unique ID identifying the partner connection
A unique and recognizable name for this connection
On the Outbound Provisioning click Configure Provisioning.
In the Target tab fill in the following:
OAuth 2 Bearer Token
Unique User Identifier
Users API Path
Remove User Action
Possible options are:
Chaos recommends picking Delete User
The <tenant id>, part of the SCIM URL and the <access token> are provided by Chaos during the onboarding process.
Click Next. In the Manage Channels tab press the Create button.
Pick a unique and recognizable Channel Name.
In the Source tab select the DataStore, configured earlier in this guide. Click Next.
In the Source Settings tab fill in the following:
Entity GUID Attribute
Group Member Attribute
User Object Class
Group Object Class
Changed Users/Groups Algorithm
Timestamp No Negation
Account Status Attribute
Account Status Algorithm
Flag Comparison Value
Note that this value is case sensitive. If the attribute value is set as TRUE in LDAP, the comparison here will not pass and the account won’t be locked.
Flag Comparison Status
These settings are only applicable in case you are using PingDirectory (Ping Identity’s LDAP server) as a user repository. Consult PingFederate’s documentation if you are using a different User repository datastore.
In the Source Location tab fill in:
In the Attribute Mapping tab configure:
Configure any additional fields, listed in Basics > SCIM as per your schema definition and needs.
The required active field is automatically calculated based on the configuration, defined in the Source Settings tab earlier. It depends on the Account Status Attribute and Account Status Algorithm and the flag combinations set in that section.
An excerpt from the PingFederate’s official documentation reads:
"Flag Comparison Status:
Indicates whether the user is enabled or disabled when the flag has the value specified in the Flag Comparison Value field. Setting the value to true equals enabled, while setting the value to false equals disabled.
if the Account Status Attribute is set to nsaccountlock, and the Flag Comparison Value is set to true, and the Flag Comparison Status is set to false, then any users with nsaccountlock=true are disabled."
Click Save to save the SP Connection.