Skip to main content
Eptura Knowledge Center

Integrate PingFederate with Okta

  1. Last updated
  2. Save as PDF

Level: Eptura Implementation team / Client IT team

Eptura supports the integration with PingFederate and this article details how to configure the SSO. This article is written for Administrators and assumes familiarity with Ping and basic identity management concepts.

Contents

  • Prerequisites
  • Step 1. Integrate PingFederate with Okta
    • Step 1.1 Register Web App on Okta for Ping Federate (Client Team)
    • Step 1.2 Create Idp Connection on PingFederate (Implementation Team)
  • Step 2. Sign in Eptura using a SSO user (Client Team)
  • Step 3. Integrate SCIM with User Directory (Client Team)
  • Step 4. User Access to Eptura Applications

Prerequisites

Before configuring SCIM-based provisioning for Eptura, make sure you have Okta configured an IdP connection on PingFederate to enable the SSO login. Additionally, your Super Admin must be defined in the Okta with their First Name, Last Name and Email Address properties completed.

Step 1. Integrate PingFederate with Okta 

Below are the steps for PingFederate integration.

Step 1.1 Register Web App on Okta for Ping Federate (Client Team)

  1. Log in to your Okta Admin Console.
Create a new OIDC application
  1. Navigate to Applications > Applications.
  2. Click the Create App Integration button.

clipboard_e6e13ca2a9b0522d57068c1fee8f6c356.png

The Create a new app integration dialog displays.

clipboard_ebc5482e655efcdeb84a16a049e7674b8.png

  1. For the Sign-in method, select OIDC - OpenID Connect option.
  2. For the Application Type, select the Web Application option.
  3. Click the Next button and the New Web App Integration displays.

clipboard_e5bb11d5eb991618ad61b664ca6406c77.png

  1. Complete the following:
  • App integration name - Enter a name for your PingFederate integration. For example eptura-ping-app-dev
  • Grant type - Make sure that the Authorization Code is selected.
  • Sign-in redirect URIs -  Enter the Redirect URI from PingFederate later.
  • Assignments - Select the Allow everyone in your organization to access option.

Assign the application to appropriate users or groups

You have the option to assign users and groups during the creation of the WebApp, or after you have created the WebApp.

  1. The Allow everyone in your organization to access option lets you assign all users to this app. We recommend you have Federation Broker Mode enabled.

clipboard_e95bc7175dde9dc9a437a669f352ddeaa.png

  1. For selected user, you can select the Limit access to selected groups option and then select groups to be assigned if they have been created. 

clipboard_e5c12131737c4c93730046f130861beb1.png

  1. If you select the Skip group assignment for now option, then you can assign users or groups after creation of WebApp and the process for this is below.
  1. Click the Save button.

clipboard_ea645d38301349ff59a23dd86684d1c36.png

Copy the following and paste this into a text editor as we will use this later in the steps. This information will be used in  the PingFederate configuration.

  • Client ID
  • Client Secret
  • Okta domain
  • Authorization server information (you may need to create or select an authorization server)
Create Access Policy in the selected Authorization server
  1. Navigate to Security > API.
  2. Click default.

clipboard_e6a65f6c47b5f96dec7765a5269604cac.png

The default displays.

clipboard_efbf5b9e2a2d5d928168be4026b29c243.png

  1. Click the Access Policies tab.

clipboard_e47a6c65f4a05f3650c6f0cd64535719c.png

  1. Click the Add Policy button and the Add Policy dialog displays.

clipboard_ef171b42ce28632b798409e74dac00d1d.png

  1. In the Name field, enter a descriptive name for this policy.
  2. In the Description field, enter a short description.
  3. Click the Create Policy button.

clipboard_ecbfd0a7ae9d6570fc67e4d5c95ad60b0.png

  1. Click the Add rule button and the Add Rule dialog displays.

clipboard_ecefa71eb15ddf46114c8924828cb2ed2.png

  1. In the Rule Name field, enter a descriptive name for this rule.
  2. Use the default settings.
  3. Click the Create rule button and the rule is saved.

clipboard_efae1b155e2aaf2852ed0be9bdc7265d1.png

Step 1.2 Create Idp Connection on PingFederate (Implementation Team)

  1. Log in to PingFederate.
  2. Navigate to Authentication > IdP Connection.
  3. Click the Create Connection button. The IdP Connections screen displays.

clipboard_e436b9fc79701aa29ac52534bab2ec253.png

  1. Check the Browser SSO Profiles check box.
  2. From the Protocol drop-down, select OpenID Connect.
  3. Click the Next button.

clipboard_ef08054f9915c7df9a914a41036b9716f.png

  1. Check the OAuth Attribute Mapping check box.
  2. Click the Next button and General Info tab displays.

clipboard_e52f70add3f5e7d08c5fd291bc75eb4ab.png

The General Info tab is where you will use the information the customer provided.

  1. In the Issuer field, enter the truncated value that you saved from the OpenId Connect metadata document value from Endpoints (above).
  2. Click the Load Metadata button and you will see the message, “Metadata successfully loaded. The issuer was updated to match the `iss` value from the discovery endpoint.”
  3. In the Connection Name field, enter the Primary Domain Name from Primary Domain Name (above).
  4. In the Client ID field, enter Ping Application (client) ID from Application (client) ID (above).
  5. In the Client Secret field, enter the Client Secret from Certificates & Secrets (above). 
  6. Click the Next button and the Browser SSO tab displays.
  7. Click the Configure Browser SSO button.

clipboard_e95faa4fdb40e10bd95db87eec156c9ed.png

  1. Click the Configure User-Session Creation button and User-Session Creation screen displays.

clipboard_e8d842941a127923a710de5f02fd4c560.png

  1. Select the No Mapping option, because the connection will be used within an authentication policy. 
  2. Click the Next button and the Attribute Contract tab displays some of the attributes pre-populated. They are only pre-populated if you press the Load Metadata button General Info tab (in the step above).

clipboard_e8cceeb317e729db9fe464421ef6b9ab2.png

  1. If needed, you can add or delete attributes.
  2. Click the Next button to display the summary screen.
  3. Click the Done button to display the Browser SSO screen.

clipboard_ee38e8609e52b6b409121c34acae20be9.png

  1. Click the Next button to display the OAuth Attribute Mapping tab.

clipboard_e067e275e27d84aac603a0aff2557a222.png

  1. Click Configure OAuth Attribute Mapping button and the Data Store tab displays.

clipboard_ef9669f213110a45f491e239291032ad0.png

  1. Click the Next button and the Contract Fulfillment tab displays.

clipboard_ea6a2f431945c8015f7443480c5f25d10.png

  1. From the Source field, choose Provider Claims and from the Value drop-down, select preferred_username.

This can be and field that contains a username (or user email). In our case, the preferred_username (preferred_screenname) attribute from IdP holds the email address.

  1. Click the Next button to see the Issuance Criteria tab.
  2. You don't need to change anything on this tab.
  3. Click the Next button to see the Summary tab.

clipboard_e9cccb452300118f653f4f0239006df6e.png

  1. Click the Done button to come back to OAuth Attribute Mapping tab.
  2. Click the Next button to see Protocol Setting tab.

clipboard_ee67c4d69cbbddfb0fa079b89140d28a1.png

This tab auto populates when the Load Metadata button is pressed in General Info tab (step above).

  1. Click the Configure Protocol Settings button to see the configuration summary. 
  2. Click the OpenId Provider Info tab and set the Authentication Scheme to POST.

clipboard_e2338e8d4d86845e1d1403d1d663c8e35.png

  1. Click Next button to see Summary tab.
  2. Click the Done button to come back to the Browser SSO screen.
  3. Click the Next button to see the Activation & Summary screen.
Redirect URL 

This displays the Redirect URI and this starts with https:// and ends with .openid 

clipboard_e01c754addbca1645b1154b722ff3d390.png

  1. Copy the URI and paste it into a Text Editor.
  2. Replace localhost with the Ping host based on your Eptura tenant’s environment.
  3. Scroll to the end of the screen.
  4. Click the Save button.

The connection is created and activated and you will see it in the list of IdP Connections.

Provide the IdP Connection Redirect URI to the customer.

Step 1.3 Set Ping result URI in Okta Ping application (Client Team)

You will need to configure the Redirect URI  in your Okta Web App.

  1. Log in to PingFederate App.
  2. From the top menu, click Authentication.
  3. From the left menu, click Policies > Selectors.

clipboard_e0ec05518cb3b8cb4a36cb126e487475d.png

  1. Select the HttpRequestDomainSelector.

clipboard_ec4118d15859e5a92eaec020f51ac0c5b.png

  1. Click the (A) Selector Result Values tab displays.
  2. In the result values (B) enter the User’s email domain.
  3. (C) Click the Add button.
  4. Click the Save button.

Next, you will find the domain in a policy and define what will happen if a login attempt to that domain fails or succeeds.

  1. From the left-menu, click the Policies.
  2. Scroll down to the policy.
  3. Click the DomainSelectorPolicy.
  4. Scroll down and under the HttpRequestDomainSelector there will be a list of the existing domains.
  5. Locate your domain and click the drop-down.
    1. From the drop-down, select the IdP Connection.
    2. Either browse the list or search for your domain name.
    3. Select the domain name.
  6. Next, complete the Fail and Success for your connection.
  7. For Fail, click Done and this is set to Done. 
  8. For Success, click Done and this is set to Done. 

clipboard_e171a0c468e4a3c3ca90afe1d950caf4b.png

  1. Click the Save button.

Step 2. Sign in Eptura using a SSO user (Client Team)

Learn how to sign in to Eptura - Authentication Methods using an SSO user or using Form Authentication  where your user was created manually. 

Step 3. Integrate SCIM with User Directory (Client Team)

Your IdP gets connected to the SCIM service, using the SCIM URL and SCIM token. When connected, the SCIM service will automatically import all user accounts that are in the your IdP. The attributes of the users in you IdP need to be mapped to SCIM. After the initial synchronization, additional synchronizations happen on a schedule of every 40 minutes. See the article, Configure SCIM provisioning for Okta

Step 4. User Access to Eptura Applications

Users created in Microsoft Azure are synchronized to Eptura as a person, you can change the access the user has to the Eptura's Product Applications, see Add, Edit, or Delete a Group.