Ping Identity
Use these steps to configure the SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with Ping Identity.
To configure Ping Identity as your Identity Provider:
-
In the Infinity Portal, go to > Identity & Access and click the plus icon.
-
Enter a name for the Integration Title and select Ping Identity.
-
To continue, click Next.
In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.
-
Select Enable Administrators to log in to the portal using this IdP.
-
Select one of these options:
-
One organizational account - Infinity Portal Administrators can log into this Infinity Portal account with SSO from the Identity Provider A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP.. Administrators log in through the Infinity Portal login page.
-
One or more organizational accounts - Infinity Portal Administrators can log in with SSO from the Identity Provider for multiple Infinity Portal accounts. Administrators log in through the URL that shows in the box.
-
-
Do one of these actions:
-
Continue to the Service(s) Integration section.
-
Click Next / Apply to complete the Integration Type configuration.
-
-
In the Service(s) Integration section, select one of these options:
-
No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.
-
All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.
-
Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:
-
Harmony Connect
-
Quantum Gateways
-
-
-
Click Next / Apply to complete the Integration Type configuration.
|
Note - If you select One of more organizational accounts, this step is not necessary. |
On the Verify Domain page, enter your organization's domain.
-
To verify ownership of your domain, add the record Value to your public DNS Server.
-
Enter the email domains your company uses for authenticating with Ping. Your company's users are directed to Ping based on the domain they used on login.
In this step, you create a SAML Security Assertion Markup Language. An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. application in the Ping Identity Portal.
Before you start, in the Infinity Portal, copy and save the Entity ID and the Reply URL.
First, create a new environment in the Ping Identity Portal.
-
Log in to your Ping Identity Portal.
-
Go to the Home page and click Add Environment.
-
Select Customer solution and click Next.
-
Make sure PingOne for Customers is available. Click Next.
-
Enter all relevant information in the form.
-
Click Finish. Ping Identity redirects you to the Home page.
In the new environment, create a web application.
-
Navigate to Connections > Applications and click Add Application.
-
Click WEB APP, then select SAML and click Configure.
-
A new Create App Profile page opens.
-
Enter the application details. For example, set the application name to Check Point Infinity Portal.
-
Click Next. The Configure SAML Connection page opens.
-
Under Provide Meta Data, select Manually Enter.
-
Configure SAML Connection:
-
Click Save and Continue.
-
In the Map Attributes page, configure SAML attributes. The User ID attribute = saml_subject appears by default. Change User ID to Email Address.
-
Click Add Attribute and select PingOneAttribute to add a new attribute:
-
For User Attribute, select Group Names.
-
For Application Attribute, enter memberOf.
-
Select the Required option.
-
-
Click Add Attribute and select PingOneAttribute to add a new attribute:
-
For User Attribute, select Given Name.
-
For Application Attribute, enter firstName.
-
Select the Required option.
-
-
Click Add Attribute and select PingOneAttribute to add a new attribute:
-
For User Attribute, select Family Name.
-
For Application Attribute, enter lastName.
-
Select the Required option.
-
-
Click Add Attribute and select PingOneAttribute to add a new attribute:
-
For User Attribute, select Email Address.
-
For Application Attribute, enter email.
-
Select the Required option.
-
-
Click Add Attribute and select PingOneAttribute to add a new attribute:
-
For User Attribute, select User Id.
-
For Application Attribute, enter userid.
-
Select the Required option.
-
-
Click Save and Close.
-
Ping Identity redirects you to the Applications page. In your newly created application, go to the Configuration tab and click Download under Connection Details > Download Metadata.
-
Download the SAML Metadata file to your computer.
IdP Initiated lets you connect directly to the Infinity Portal from your Ping Identity admin console. To do this, you must create an Infinity Portal app card in your Ping Identity admin console. See the Ping Identity documentation for the Application portal.
Step 1: In Infinity Portal, enable IdP Initiated flow:
-
In the Infinity Portal > IdP Integration Allow Connectivity step, select the checkbox Enable IDP initiated flow.
The Relay State field appears.
Step 2: In your Ping Identity account, configure the IdP Settings:
-
Navigate to your Ping Identity admin console.
-
From the left toolbar, click Connections > Applications.
-
Open the application object for the SAML connection to Infinity Portal.
-
From the top navigation toolbar, click Overview.
-
Click the Protocol SAML button.
The Edit Configuration menu opens for the application object.
-
In the Edit Configuration menu > Target Application URL field, enter the Relay State from Infinity Portal.
-
Click Save.
|
Important - Before you can test the connectivity between Ping Identity and Infinity Portal, you must complete all of the IdP integration steps in Infinity Portal. |
In this step, you upload the federation metadata XML file.
-
On the Infinity Portal, Identity Provider Wizard > Configure Metadata page, upload the Federation Metadata XML that you downloaded from the Ping Identity Portal.
Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the site.
-
Click Next. Check Point verifies the metadata of your Identity Provider.
To use Ping Identity for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.
Directory Integration pulls information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section. Directory Integration does not apply to Users and User Groups in the Infinity Portal.
|
Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration. |
Directory Integration allows Check Point services to query for any change in Ping Identity users and groups. The Infinity Portal pulls all users and groups from Ping Identity.
Set up Users and Groups Synchronization:
To start, create a Worker application and then you can set up permissions for users and groups.
Create a Worker application in the Ping Identity Portal:
-
In the Ping Identity Portal, from the left toolbar, click Applications > Add Application.
The Applications page opens.
-
At the top of the page click the "+" icon to the right of the word Applications.
The Add Application window opens.
-
In the Application Name field, enter a name for the application.
-
In the Application Type section, select Worker.
-
Click Save.
Ping Identity creates an application object.
Set up Users and Groups Permissions:
Set up permissions to allow the selection of users and user groups from your Ping Identity for the Infinity Portal SSO.
-
In the application object, open the Configuration tab.
-
In the upper right, click the edit button (pencil icon).
-
In the Grant Type section, select Client Credentials.
-
In the Token Endpoint Authentication Method field, select Client Secret Post.
-
Click Save.
-
Open the Roles tab.
-
Click Identity Data Read Only > Select All.
-
Click Save.
-
On the Applications page:
-
Move the slider for the Web App SAML application you created for the Infinity Portal to the on position.
-
Move the slider for the Worker application you created for the Infinity Portal to the on position.
-
Copy the relevant values to the Infinity Portal Wizard:
-
Environment ID - In Ping Identity Portal, from the left toolbar, click Settings > Environment Properties and copy the value of Environment ID.
-
Region - In Ping Identity Portal, from the left toolbar, click, Settings > Environment Properties and view the region. In the Wizard, enter EU for Europe, COM for the United States, and ASIA for the Asian Pacific.
-
Client ID and Shared Secret - In Ping Identity Portal, from the left toolbar, click Applications and open your Worker application. Open the Overview tab and copy these values: Client ID and Client Secret.
Best Practice - Check Point recommends that you save the ‘Client Secret’ value in a separate secured file to retrieve it when it is required.
Verify that all fields in Directory Integration are correct:
-
To test the users and group synchronization between the Infinity Portal and the Identity Provider, click Test Connectivity.
-
If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.
-
Click Next
Review the details of the SSO configuration and click Submit.
|
Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups. |