Ping Identity

Use these steps to configure the SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with Ping Identity.

To configure Ping Identity as your Identity Provider:

  1. In the Infinity Portal, go to > Identity & Access and click the plus icon.

  2. Enter a name for the Integration Title and select Ping Identity.

  3. To continue, click Next.

In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select one of these options:

  1. In the Service(s) Integration section, select one of these options:

    • No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.

    • Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:

      • Harmony Connect

      • Quantum Gateways

  2. Click Next (or Apply) to complete the Integration Type configuration.

Note - If for Integration Type you selected "Login with a Unique URL", the Verify Domain step is not necessary.

  1. Copy the DNS Value from the Infinity Portal.

  2. On your DNS server, enter the Value as a TXT record.

  3. In the Infinity Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  4. Optional - add more DNS domain servers.

  5. Click Next.

    Note - Wait until the DNS record is propagated and can be resolved.

In this step, you create a SAMLClosed Security Assertion Markup Language. An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. application in the Ping Identity Portal.

Before you start, in the Infinity Portal, copy and save the Entity ID and the Reply URL.

First, create a new environment in the Ping Identity Portal.

  1. Log in to your Ping Identity Portal.

  2. Go to the Home page and click Add Environment.

  3. Select Customer solution and click Next.

  4. Make sure PingOne for Customers is available. Click Next.

  5. Enter all relevant information in the form.

  6. Click Finish. Ping Identity redirects you to the Home page.

In the new environment, create a web application.

  1. Navigate to Connections > Applications and click Add Application.

  2. Click WEB APP, then select SAML and click Configure.

  3. A new Create App Profile page opens.

  4. Enter the application details. For example, set the application name to Check Point Infinity Portal.

  5. Click Next. The Configure SAML Connection page opens.

  6. Under Provide Meta Data, select Manually Enter.

  7. Configure SAML Connection:

    • ACS URLs - Use the Reply URL.

    • Signing - Set to Sign Response.

    • Entity ID - Use the Entity ID that you copied from the SSO wizard.

    • Assertion Validity Duration - Set to 3600.

  8. Click Save and Continue.

  9. In the Map Attributes page, configure SAML attributes. The User ID attribute = saml_subject appears by default. Change User ID to Email Address.

  10. Click Add Attribute and select PingOneAttribute to add a new attribute:

    1. For User Attribute, select Group Names.

    2. For Application Attribute, enter memberOf.

    3. Select the Required option.

  11. Click Add Attribute and select PingOneAttribute to add a new attribute:

    1. For User Attribute, select Given Name.

    2. For Application Attribute, enter firstName.

    3. Select the Required option.

  12. Click Add Attribute and select PingOneAttribute to add a new attribute:

    1. For User Attribute, select Family Name.

    2. For Application Attribute, enter lastName.

    3. Select the Required option.

  13. Click Add Attribute and select PingOneAttribute to add a new attribute:

    1. For User Attribute, select Email Address.

    2. For Application Attribute, enter email.

    3. Select the Required option.

  14. Click Add Attribute and select PingOneAttribute to add a new attribute:

    1. For User Attribute, select User Id.

    2. For Application Attribute, enter userid.

    3. Select the Required option.

  15. Click Save and Close.

  16. Ping Identity redirects you to the Applications page. In your newly created application, go to the Configuration tab and click Download under Connection Details > Download Metadata.

  17. Download the SAML Metadata file to your computer.

IdP Initiated lets you connect directly to the Infinity Portal from your Ping Identity admin console. To do this, you must create an Infinity Portal app card in your Ping Identity admin console. See the Ping Identity documentation for the Application portal.

Step 1: In Infinity Portal, enable IdP Initiated flow:

In the Infinity Portal > IdP Integration Allow Connectivity step, select the checkbox Enable IDP initiated flow.

The Relay State field appears.

Step 2: In your Ping Identity account, configure the IdP Settings:

  1. Navigate to your Ping Identity admin console.

  2. From the left toolbar, click Connections > Applications.

  3. Open the application object for the SAML connection to Infinity Portal.

  4. From the top navigation toolbar, click Overview.

  5. Click the Protocol SAML button.

    The Edit Configuration menu opens for the application object.

  6. In the Edit Configuration menu > Target Application URL field, enter the Relay State from Infinity Portal.

  7. Click Save.

Important - Before you can test the connectivity between Ping Identity and Infinity Portal, you must complete all of the IdP integration steps in Infinity Portal.

In this step, you upload the federation metadata XML file.

  1. On the Infinity Portal, Identity Provider Wizard > Configure Metadata page, upload the Federation Metadata XML that you downloaded from the Ping Identity Portal.

    Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the site.

  2. Click Next. Check Point verifies the metadata of your Identity Provider.

To use Ping Identity for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.

Directory Integration gets information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section.

Directory Integration does not apply to Users and User Groups in the Infinity Portal.

Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration.

You can manage user identity data with Manual API Sync or with System for Cross-Domain Identity Management (SCIM).

Directory Integration Method

How it Works

Which Users and Groups are Synced

Manual Sync

Allows Check Point services to query for any change in Ping Identity users and groups. The Infinity Portal pulls users and groups from Ping Identity.

All users and groups in Ping Identity.

Nested groups in Ping Identity are supported.

SCIM (Automatic Sync)

Allows Ping Identity to push any change in the user and group directory to Check Point services.

Only users and groups in Ping Identity that are assigned to the SCIM connection you created from Ping Identity to the Infinity Portal.

Step 1 - Set up Users and Groups Synchronization:

To start, create a Worker application and then you can set up permissions for users and groups.

Step 2 - Create a Worker application in the Ping Identity Portal:

  1. In the Ping Identity Portal, from the left menu, expand Applications > click Add Application.

    The Applications page opens.

  2. At the top of the page click the "+" icon to the right of the word Applications.

    The Add Application window opens.

  3. In the Application Name field, enter a name for the application.

  4. In the Application Type section, select Worker.

  5. Click Save.

    Ping Identity creates an application object.

Step 3 - Set up Users and Groups Permissions:

Set up permissions to allow the selection of users and user groups from your Ping Identity for the Infinity PortalSSO.

  1. In the application object, open the Configuration tab.

  2. In the upper right, click the edit button (pencil icon).

  3. In the Grant Type section, select Client Credentials.

  4. In the Token Endpoint Authentication Method field, select Client Secret Post.

  5. Click Save.

  6. Open the Roles tab.

  7. Click Identity Data Read Only > Select All.

  8. Click Save.

  9. On the Applications page:

    1. Move the slider for the Web App SAML application you created for the Infinity Portal to the on position.

    2. Move the slider for the Worker application you created for the Infinity Portal to the on position.

Step 4 - Copy the relevant values to the Infinity Portal Wizard:

  • Environment ID - In Ping Identity Portal, from the left toolbar, click Settings > Environment Properties and copy the value of Environment ID.

  • Region - In Ping Identity Portal, from the left toolbar, click, Settings > Environment Properties and view the region. In the Wizard, enter EU for Europe, COM for the United States, and ASIA for the Asian Pacific.

  • Client ID and Shared Secret - In Ping Identity Portal, from the left toolbar, click Applications and open your Worker application. Open the Overview tab and copy these values: Client ID and Client Secret.

    Best Practice - Check Point recommends that you save the ‘Client Secret’ value in a separate secured file to retrieve it when it is required.

Step 5 - Verify that all fields in Directory Integration are correct:

  1. To test the users and group synchronization between the Infinity Portal and the Identity Provider, click Test Connectivity.

  2. If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.

  3. Click Next.

Prerequisites:

  • In the Infinity Portal create a user group with an Admin global role. See Users.

  • You must have Administrator permissions for the Ping Identity account.

Step 1 - In the Infinity Portal, copy values and finish the IDP Integration Wizard:

  1. In the Infinity Portal > Directory Integration step, select Automatic Sync (SCIM).

  2. Copy these values and keep them in a safe place:

    • SCIM API Token

    • URL

  3. Click Next.

    The Confirm Identity Provider step opens.

  4. Click Submit.

    Ping Identity is now integrated with the Infinity Portal. The Ping Identity integration appears in the gallery in the Infinity Portal. Finish configuring SCIM (Automatic Sync) in the Ping Identity Portal.

Step 2 - In the Ping Identity Portal, create a new Connection:

  1. In the Ping Identity Portal, from the left menu, expand Integrations > click Provisioning.

  2. Next to Provisioning, click the + button.

    The Create a New Connection wizard opens.

  3. To the right of Identity Store, click Select.

  4. Search "scim".

  5. Select SCIM Outbound.

  6. Wizard Step 1:

    1. Enter a name for the integration. Example: "Infinity Portal SCIM".

    2. Click Next.

  7. Wizard Step 2:

    1. In the Configure Authentication section > SCIM BASE URL field, paste the URL you copied from the Infinity Portal.

    2. For Authentication Method select OAuth2 Bearer Token.

    3. In the Oauth Access Token field, paste the SCIM API Token you copied from the Infinity Portal.

    4. Click Test Connection.

      If the test is successful, a confirmation message appears. If the test fails, make sure that you copied and pasted the values correctly from the Infinity Portal to the Ping Identity Portal.

    5. In the Ping Identity Portal, click Next.

  8. Wizard Step 3:

    1. In the Configure Parameters section, select Deprovision on Rule Deletion.

      Important - Do not change the default values of other parameters.

    2. Click Save.

      The wizard closes. The new connection you created for the Infinity Portal appears in the Provisioning menu > Connections tab. By default, this connection is not active.

    3. In the top right, move the slider to the "on" position to activate the connection.

Step 3 - In the Ping Identity Portal, create a rule for the connection:

  1. In the Provisioning menu, open the Rules tab.

  2. Click the + button > New Rule.

    The Create a New Rule window opens.

  3. Enter a name for the rule.

  4. Click Create Rule.

  5. In the Available Connections section, to the right of the name of the connection you created for the Infinity Portal, click the + button.

  6. Click Save.

Step 4 - In the Ping Identity Portal, add users to the rule:

  1. Click the User Filter icon.

  2. Next to User Filter, click the edit (pencil) button.

  3. Create user filters. For more information, see Ping Identity documentation.

  4. Click Save.

Step 5 - In the Ping Identity Portal, add attributes to the rule:

  1. Click the Attribute Mapping icon.

  2. Next to Attribute Mapping, click the edit (pencil) button.

  3. Add these attributes:

    PingOne Directory

    myScim

    Enabled

    active

    Given Name

    displayName

    User ID

    externalID

    Username

    userName

    Primary Phone

    workPhone

  4. Click Save.

Step 6: In the Ping Identity Portal, add groups to the rule:

  1. Click the Global Provisioning icon.

  2. Click Add Groups.

  3. Select groups to add to the rule.

    Note - If groups are in a hierarchy, you must select the parent and the child group individually. Example: Group A is the parent of Group B. To add Group B to the rule, you must select Group A and Group B.

  4. Click Save.

Step 7: In the Ping Identity Portal, apply the rule to the connection:

  1. In the Configuration tab, make sure all of the values are correct.

  2. In the top right, move the slider to the "on" position to apply the rules.

Review the details of the SSO configuration and click Submit.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups.