This page provides information on how to configure Corporate Sign in in Chaos services with PingFederate.
Overview
In this section we explore how you can integrate your PingFederate identity provider with Chaos, so that your employees benefit from the Corporate Sign In functionality.
Before doing the steps in this section, make sure to reach out to Chaos first to request the Corporate Sign In feature.
Chaos to PingFederate communication
The communication link between Chaos and PingFederate goes over a TLS connection. In order for this communication to be successful PingFederate must present a trusted SSL certificate.
PingFederate configuration
The following sections assume you have PingFederate installed and Outbound Provisioning enabled. This setup has been verified against PingFederate version 10.
In addition to the basic installation you need to install Ping’s official SCIM Connector. PingFederate only supports SCIM version 1.1 which is not compatible with SCIM version 2.0 that Chaos uses. The connector will add support for SCIM version 2 to PingFederate Outbound provisioning capabilities.
Please consult PingFederate’s installation and configuration documentation in case you need help.
Configure OpenID-Connect policy
This step is needed so that the returned OAuth tokens contain the required claims with the information, taken from the correct LDAP attributes.
In PingFederate’s administrative UI go to Applications > OAuth > OpenID Connect Policy Management and click Add Policy.
Policy ID | A unique identifier of the policy |
Name | A unique and recognizable name for this policy |
Access Token Manager | JSON Web Tokens |
INCLUDE USER INFO IN ID TOKEN | ✅ Checked |
Click Next.
Under Attribute Contract leave only email, family_name and given_name:
Click Next.
Under Attribute Scopes add profile and select the email attribute manually. Don’t forget to press Add.
Click Next.
Under Attribute Sources & User Lookup, click Add Attribute Source. Fill in the following information for the attribute source datastore:
Attribute Source ID | A unique identifier of the attribute source |
Attribute Source Description | A description for the attribute source |
Active Data Store | pingdirectory |
This will automatically fill in the store type as LDAP.
Click Next.Under LDAP Directory Search tab fill in the following: Base DN | dc=example,dc=com |
Attributes to return from search:Select <Show all attributes> and add the following attributes: | mailcnsn |
Click Next.Under LDAP Filter put the following as filter: entryUUID=${Username}
Click Done.Back on the OIDC Policy management under Contract Fulfillment select the source to take the corresponding OAuth claims from as follows:
Go to Summary page and click Save.
Creating an OAuth client in PingFederate
Open PingFederate’s administrative UI, go to Applications > OAuth > Clients and create a New Client.Fill in the following fields:
Client ID | The <client id> |
Name | A unique and recognizable name |
Client Authentication | CLIENT SECRET. After selecting this option a new field called Client Secret will be displayed underneath |
Client Secret | The <client secret> |
Allowed Grant Types | Authorization Code |
OpenID Connect > Policy | The policy, created in the previous section |
The <client id> and <client secret> are provided by Chaos during the onboarding process.
Click Save.
Configure User datastore
In this guide we are using Ping Identity’s own LDAP solution - PingDirectory.
If your setup depends on another user repository type, some steps may be different. To start with LDAP navigate to System > Data & Credential Stores > Data Stores and Add New Data Store.
Pick a unique name and select LDAP as store type. Follow the instructions in PingFederate’s documentation on how to configure an LDAP connection.
Create a SCIM SP Connection
In Applications > Integration > SP Connections click Create Connection.
Select Do not use a template for this connection and click Next.
On the Connection Type tab select Outbound Provisioning and from the new drop-down menu select Type: SCIM Connector.
The SCIM Connector type will only show if you’ve successfully installed the SCIM Connector from the PingFederate configuration section above and restarted PingFederate after doing so. Using SCIM 1.1 Service Provider will not work.
Click Next.
In the General Info tab fill in:
Partner’s Entity ID | A unique ID identifying the partner connection |
Connection Name | A unique and recognizable name for this connection |
Click Next.
On the Outbound Provisioning click Configure Provisioning.
In the Target tab fill in the following:
SCIM URL | https://dev.scim.chaos.com/<tenant id>/v2 |
SCIM Version | 2.0 |
Authentication Method | OAuth 2 Bearer Token |
Access Token | <access token> |
Unique User Identifier | workEmail |
Users API Path | /Users |
Provisioning Options | Select:
|
Remove User Action | Possible options are:
Chaos recommends picking Delete User |
The <tenant id>, part of the SCIM URL and the <access token> are provided by Chaos during the onboarding process.
Click Next. In the Manage Channels tab press the Create button.
Pick a unique and recognizable Channel Name.
Click Next.
In the Source tab select the DataStore, configured earlier in this guide. Click Next.
In the Source Settings tab fill in the following:
Entity GUID Attribute | entityUUID |
GUID Type | Text |
Group Member Attribute | uniqueMember |
User Object Class | person |
Group Object Class | groupOfUniqueNames |
Changed Users/Groups Algorithm | Timestamp No Negation |
Timestamp Attribute | modifyTimestamp |
Account Status Attribute | accountLocked |
Account Status Algorithm | Flag |
Default Status | true |
Flag Comparison Value | true Note that this value is case sensitive. If the attribute value is set as TRUE in LDAP, the comparison here will not pass and the account won’t be locked. |
Flag Comparison Status | false |
These settings are only applicable in case you are using PingDirectory (Ping Identity’s LDAP server) as a user repository. Consult PingFederate’s documentation if you are using a different User repository datastore.
Click Next.
In the Source Location tab fill in:
Base DN | dc=example,dc=com |
Users Filter | (&(uid=*)(objectClass=person)) |
Click Next.
In the Attribute Mapping tab configure:
userName | uid |
workEmail | |
familyName | sn |
givenName | cn |
Configure any additional fields, listed in Basics > SCIM as per your schema definition and needs.
The required active field is automatically calculated based on the configuration, defined in the Source Settings tab earlier. It depends on the Account Status Attribute and Account Status Algorithm and the flag combinations set in that section.
An excerpt from the PingFederate’s official documentation reads:
"Flag Comparison Status:
Indicates whether the user is enabled or disabled when the flag has the value specified in the Flag Comparison Value field. Setting the value to true equals enabled, while setting the value to false equals disabled.
Example:
if the Account Status Attribute is set to nsaccountlock, and the Flag Comparison Value is set to true, and the Flag Comparison Status is set to false, then any users with nsaccountlock=true are disabled."
Click Save to save the SP Connection.