PingFederate

Prerequisites

  • Administrator access to the Harmony SASE Administrator Portal.

  • Administrator account with the Identity Provider Management Portal.

High-Level Procedure

Step 1 - Configure the PingFederate Management Portal

  1. Log in to PingFederate Management Portal.

  2. Go to SP Connections and click Create New.

  3. Select Browser SSO Profiles as Connection Type.

  4. Select Browser SSO as Connection Options.

  5. Configure the parameters and map the attributes.

    • Entity ID: urn:auth0:perimeter81:{{WORKSPACE}}-oc where {{WORKSPACE}} refers to your Harmony SASE workspace name.

    • Assertion Consumer Service URL: https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc where {{WORKSPACE}} refers to your Harmony SASE workspace name.

    • SAML Request: HTTP-Redirect Binding

    • SAML Response: HTTP-POST Binding

    • Attributes:

      Harmony SASE Attribute

      PingFederate Attribute

      email

      Mail

      given_name

      Given Name

      family_name

      Surname

  6. Configure Browser SSO.

    1. In the SAML Profiles, select SP-Initiated SSO and SP-Initiated SLO.

    2. Go to Assertion Creation section and select Configure Assertion.

    3. Accept all defaults for the next two screens.

  7. Go to IdP Adapter Mapping section and select the existing authentication or add a new one.

    Note - Auth0 only requires the NameIdentifier claim. All other attributes will be passed further to the end application.

  8. Configure Protocol Settings.

    Values for Protocol Settings are imported from the metadata file. Next, you will see the Assertion Consumer Service URL and the Sign-Out URLs. Click Next to the Allowable SAML Bindings section.

  9. Leave POST and Redirect enabled. Make sure SAML Assertion is always signed.

  10. Configure Credentials. On Digital Signature Settings, select your signing certificate and make sure you check the option to include it in the element.

  11. Configure the certificate used to sign incoming requests.

  12. Review your settings and set as Active or Inactive.

  13. Click Save at the bottom of the screen. You should see the new SP Connection on the Main screen.

Step 2 - Configure the Harmony SASE Administrator Portal

  1. Log in to the Harmony SASE Administrator Portal with a administrator account.

  2. Go to Settings > Identity Providers.

  3. Click Add Provider.

    The Add identity provider pop-up appears.

  4. Select SAML 2.0 Identity Providers and click Continue.

  5. In the Sign in URL field, enter the Identity Provider Sign-in URL from your SAML Identity Provider.

    Identity Provider

    Sign in URL

    Generic SAML

    Identity Provider Sign in URL

    Active Directory Federation Services (AD FS)

    https://{{Your ADFS Domain}}/adfs/ls

    Auth0

    Auth0 login URL

    OneLogin

    SAML 2.0 Endpoint (HTTP) value

    PingOne

    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid={{idpid}}

    PingFederate

    https://sso.{{Your PingFederate Domain}}.com/idp/SSO.saml2

    Rippling

    Rippling IdP Sign-in URL.

    JumpCloud

    JumpCloud IDP URL

    Okta

    Okta Sign on URL

    Google Applications

    SSO URL

  6. In the Domain Aliases field, enter the business domain names separated by commas or space.

  7. In the X509 Signing Certificate field, enter the X.509 signing certificate for the application from the SAML Identity Provider.

    If you have the signing certificate as PEM/CERT file, click Upload PEM/CERT File and select the file.

  8. Click Done.

Note - After the first successful authentication of a member with SAML, Harmony SASE does this:

  • Assigns the member with the appropriate role.

  • Adds the member to the groups related to Identity Provider.

  • Applies the relevant configuration profiles to the member.