PingOne and App Center Configuration
This document will provide high-level steps for configuring Ping One as an External Identity Provider for Symantec App Center. This article does not cover group mapping, and is based on the internal user-store of PingOne. For further configuration info, such as how to pass group membership information, please contact your Symantec sales specialist.
It should be noted, that when you configure an External Identity Provider, those IDP credentials will be used for authentication to any of your wrapped mobile apps. Furthermore you can leverage another wrap feature called "credential injection" - more to come on that in another post.
Log into your PingOne administration console and “Add” a new SAML application
Start Application Configuration – part 1
The next screen should provide fields for providing the application a name as well as a description – you must fill out both fields before proceeding to the next step. These fields are arbitrary, but you should probably pick a meaningful name.
Start Application Configuration – Part 2
In this step, we will exchange meta-data between App Center and PingOne.
Click the “Download” hyperlink next to “SAML Metadata” area of the configuration screen. The file name is typically “saml2-metadata-idp.xml” – we will need to edit this file later.
Please ensure that the “SAML 2.0” option is selected in the “Protocol Version” area.
In the “Upload Metadata” section, you will need to upload the App Center SAML metadata to PingOne. You can get this metadata file by logging into your App Center as an Administrator and going to “Settings”>”Server Configuration”. In the “SP Partner ID” and “SP Entity ID” fields, simply use the root URL for your App Center server – in this case “https://zonemobile.appcenterhq.com”. Once you fill out those fields click the “Download SP Metadata File” button. The resulting file should be named something like <servername>.appcenterhq.com-sp-metadata.xml. Use this file for the “Upload Metadata”>”Select File” section of PingOne.
Once this file is uploaded, PingOne will automatically populate the “Assertion Consumer Service (ACS)” and “Entity ID” fields for you.
It is suggested that you check the “Force Re-Authentication” box.
Lastly – please note that PingOne requires us to pass the “SAML_SUBJECT” attribute – we will need to remember this field name for the next configuration screen.
Start Application Configuration – Part 3
Now that we have uploaded our App Center meta-data to PingOne, we need to map our SAML attributes. Using the screenshot below enter the values in the “Application Attribute” column verbatim. For the “Identity Bridge Attribute”, since we are using the PingOne internal user store, the values should also be identical. Check the boxes as indicated below for the “required” attributes.
Once your “SSO Attribute Mapping” is complete, select the “Advanced” button in the row that contains the “SAML_SUBJECT” attribute. You should see a screen similar to the one below. The “Name ID Format to Send to SP” field should be set to “urn:oasis:names:tc:SAML:2.0:nameid-format:transient” – this is a requirement. The allowed values will automatically drop down from the field area, if the “transient” format option is not showing up, simply finish the configuration, but go back after you save/publish, and edit the field before attempting to log on the first time.
Start Application Configuration – Part 4
Review the settings on the next page and click “finish”
Configuring PingOne Meta-Data for App Center
Now that PingOne has been configured, we need to make a few edits to the PingOne (IDP) meta-data file so that App Center can consume assertions properly. Referring back to the PingOne meta-data file (typically “saml2-metadata-idp.xml”) look for the following text/“attribute” nodes:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PingOne.AuthenticatingAuthority" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PingOne.idpid" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
Replace the above text with the following text:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="FirstName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="LastName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EMailAddress" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
Once you have made those changes, save the file.
Uploading meta-data and mapping attributes in App Center
Log into your App Center as an Administrator, and go to “Settings”>”Server Configuration”. Upload the “saml2-metadata-idp.xml” file we just changed using the “Choose File” button near the “IDP Metadata” file.
On the next screen, we need to map the values we just added to the Meta-Data file to the internal values in App Center. Notice that we map “EMailAddress” to both the “Username Attribute” and “Email Attribute” fields – this is not required, but is simple as we do not need to make any custom field types in PingOne.
Also note we are leaving the “Group Attribute” as “Choose an Attribute”. While this disables “Group Mapping” you can still manually add newly provisioned PingOne users to App Center groups.
Click “Save” and skip any configuration options for the “Group Options” screen and finally “Enabled IDP” at the very end.
You should now be able to type in your App Center URL (for this example “https://zonemobile.appcenterhq.com”) and it will bring you to the PingOne login page.