Avi Vantage Integration with PingFederate

An Avi virtual service’s ability to act as a service provider is key to support of Security Assertion Markup Language (SAML), starting with release 18.2.2. To fulfill this role, the Avi virtual service sends authentication requests to an identity provider (IDP), responses from which govern user access to back-end applications running in Avi pools. Multiple third-party integrations have been implemented by Avi Networks to give customers a choice of IDP. This article outlines the steps necessary to enable PingFederate as IDP.

Avi as SP and PingFederate as IDP

Ping as IDP

Configuring PingFederate as IDP

You need to create a new adapter instance by using the following steps.

  1. On the PingFederate Dashboard, go to IdP Configuration and click on Adapters under Application Integration.

    PingFederate configuration step <>br>

  2. Under Manage IdP Adapter Instances, click on Create New Instance.
  3. On the Type tab, enter an Instance Name and Instance ID as shown below and click on Next.

    PingFederate configuration step

  4. On the IdP Adapter tab, click on Add a new row to ‘Credential Validators’ to define a credential authentication.

    PingFederate configuration step

  5. Select a Password Credential Validator Instance and click on Update.

    PingFederate configuration step

  6. On the Extended Contract screen, click on Next.

    PingFederate configuration step

  7. On the Adapter Attributes tab, select the username checkbox under Pseudonym and other attributes, if available, and click on Next.

    PingFederate configuration step

  8. On the Adapter Contract Mapping tab, click on Next, verify the summary, and click on Done.

Adding the SP details

  1. Login to the PingFederate management console, navigate to IdP Configuration > SP Connections and click on Create New.

  2. On the Connection Type tab, click on Next.

    PingFederate configuration step

  3. On the Connections Options tab, click on Next.

    PingFederate configuration step

  4. On the Metadata URL screen, click on Next.

  5. On the General Info tab, enter the information as shown below and click on Next.

    PingFederate configuration step

  6. On the Browser SSO tab, click on Configure Browser SSO, choose the SP-initiated SSO option on the next screen and click on Save.

    PingFederate configuration step

    PingFederate configuration step

  7. On the Assertion Lifetime screen, click on Next.

  8. On the Assertion Creation screen, click on Configure Assertion Creation.

    PingFederate configuration step

  9. On the Identity Mapping screen, choose STANDARD and click on Next.

    PingFederate configuration step

  10. On the Attribute Contract screen, you can choose the default contract or use the option to add custom user attributes in the assertion. Click on Next.

    PingFederate configuration step

  11. On the Authentication Source Mapping screen, click on Map New Adapter Instance.

    PingFederate configuration step

  12. On the Adapter Instance screen, chose the adapter instance.

    PingFederate configuration step

  13. Click on Next.

  14. Click the third option if you do not want additional attributes.

    Note: Skip Steps 14 to 16 if you want additional attributes and proceed directly to step 17.

    PingFederate configuration step

  15. On Attribute Contract Fulfillment screen choose the details and click on Next.

    PingFederate configuration step

  16. Click Next on the Issuance Criteria screen, review the summary and click on Done.

  17. (If no attribute lookup is required, skip the next steps and proceed to step 23).
    If you want additional attributes, chose the second option on Mapping Method Screen instead of the third as mentioned in step 14 and click on Next.

    PingFederate configuration step

  18. On the Attribute Sources & User Lookup screen, click on Add Attribute Source.

    PingFederate configuration step

  19. Select your data store on the next screen or click on Manage Data Stores to add a new one.
    PingFederate configuration step
  20. Add a new one, if you do not have an existing source.

    PingFederate configuration step

  21. Once the data store is added, click on Next on Database table and Columns screen after choosing the required columns / On Database filter screen, you can add the filters using the where clause. Once it is added, click on Next.

  22. On Attribute Contract Fulfillment screen chose the details and click Next. Click Next on the Issuance Criteria screen, review the summary, and click on Done.

    PingFederate configuration step

  23. Then the Authentication Source Mapping screen will appear; click on Next. It will take you to the Summary page. Click on Done.

    PingFederate configuration step
    PingFederate configuration step

  24. The Assertion Creation screen will reappear. Click on Next. In the Protocol Settings section, click on Configure Protocol Settings.

    PingFederate configuration step

  25. On the Assertion Consumer Service URL screen, enter the Endpoint URL.

    PingFederate configuration step

  26. On the Allowable SAML Bindings tab, select the binding for communication from SP to IDP, which should be REDIRECT.

    PingFederate configuration step

  27. On the Signature Policy screen; then click on Next.

    PingFederate configuration step

  28. On the Encryption Policy screen; then click on Next.

    PingFederate configuration step

  29. If the summary looks OK, click on Done. The Protocol Settings screen will reappear; click on Next. Review the summary and click on Next.

    PingFederate configuration step

  30. The Browser SSO tab will reappear; click on Next.

    PingFederate configuration step

  31. Under Credentials, click on Configure Credentials.

  32. On the Digital Signature screen. Select the signing certificate and click on Next.
    Check the Summary and click on Save.

    PingFederate configuration step

  33. The Credentials page will reappear. click on Next.
    Validate the rest of the configuration, and click on Save.

    The configuration is complete. Metadata can be downloaded using following steps:

    • Click on Identity Provider; it will take you to the Console.
    • Click on Manage All under SP Connections.

      PingFederate configuration step

    • Click on Select Action for the one you want to download metadata and click on Export Metadata.

      PingFederate configuration step

    • On the next screen, chose signing certificate and Click on Next.

      PingFederate configuration step

    • Click on Export and then click on Done.

      This completes the process of creating an application on PingFederate.

      Once configuration is complete on PingFederate, configure an Avi virtual service to act as service provider by following the instructions given in SAML Configuration on Avi Vantage article.