Page tree
Skip to end of metadata
Go to start of metadata

Introduction

This guide provides step-by-step instructions on how to add Ping Federate as an identity provider in JIRA using Kantega Single Sign-on.

Context: This setup guides assumes that Kantega SSO in installed as an add-on to your Atlassian product (JiraConfluenceBitbucketBamboo, or FeCru).

The setup starts in the Configuration page of the Kantega SSO add-on. This configuration page can be found by pressing "Configure" on "Kantega Single Sign-On (SSO)" in list of installed add-ons.

Adding an SP Connection in Ping Federate

  • Login to the admin console of Ping Federate.
  • Press Create New in IdpConfiguration

Connection Type

  • Select Connection Template: Browser SSO Profiles 

Connection Options

  • Select Browser SSO
  • Press Next

Configuring Kantega Single Sign-on

Add identity provider

  • In Kantega Single Sign-on select Any SAML 2.0 Identity Provider

Prepare

  • Copy the metadata URL or download the file

Import Metdata

  • Select the desired metadata import option
  • Press Next

Metadata Summary

  • Review the metadata summary
  • Press Next

General Info

  • Fill in the fields (if not using metadata)
    • Entity ID
    • Connection Name 
    • Base URL
  • Press Next

Browser SSO

  • Select Configure Browser SSO
  • Press Next

SAML Profiles

  • Select wheter you want IDP-initated SSO, SP-Initiated SSO or both
  • Press Next

Assertion Lifetime

  • Accept the default assertion lifetime
  • Press Next

Assertion Creation

  • Select Configure Assertion Creation

Identity Mapping

  • Select Standard Identity Mapping
  • Press Next

Attribute Contract

This step may be skipped if the user should noe be automatically created in JIRA

  • Extend the contract with the fields from the table below
  • Press Next
Extend the tract:Attribute Name Format
emailurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
givenNameurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
surnameurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified


Authentication Source Mapping

  • Select Map New Adapter Intance

Adapter Instance
  • Choose your preferred Adapter Instance
  • In this example we create: PingOne HTML Form Adapter
  • Press Next

Mapping Method
  • Select Use Only The Adapter Contract Values In The SAML Assertion
  • Press Next

Attribute Contract Fullfillment
  • Select the values for SAML_SUBJECT, email, givenName and surname
  • Press Next

Issuance criteria
  • Optionally add Issuance Criteria
  • Press Next

IDP Adapter Mapping Summary
  • Review the Summary
  • Press Done

Assertion Creation

  • You have now completed Map New Adapter Instance
  • Select Map New Authentication Policy

Authentication Policy Contract

  • Choose an already existing Authentication Policy Contract or press Manage Authentication Policy Contracts
  • In this example we create a new policy contract 

Manage Contracts

  • Select Create New Contract

Contract Info
  • Give the contract a name
  • Press Next

Contract Attributes

Extend the contract with the following attributes:

  • email
  • givenName
  • surname
  • userPrincipalName

After adding the attributes, press Next

Authentication Policy Contract Summary
  • Review the Summary
  • Press Done

Authentication Policy Contracts
  • You have now added a new Authentication Policy Contract
  • Press Save

Selecting an Authentication Policy Contract
  • Select the desired Authentication Policy Contract
  • Press Next

Mappping Method

  • Select Use Only The Authentication Policy Contract Values In The SAML Assertion
  • Press Next

Attribute Contract Fullfillment

  • Map the Attribute Contract Attribute to the corresponding Value
  • Press Next

Issuance Criteria

  • Optionally add Issuance Criteria
  • Press Next

Authentication Policy Mapping Summary

  • Review the Summary
  • Press Done

Authentication Source Mapping 

  • You have now completed 
    • Map New Adapter Instance
    • Map New Authentication Policy
  • Press Next

Assertion Creation Summary

  • Review the Summary
  • Press Done

Assertion Creation

  • You have now completed the Assertion Creation
  • Press Next

Protocol Settings

  • Press Cnfigure Protocol Settings

Assertion Consumer Service URL

  • The Endpoint URL should be automatically filled from the metadata 
  • When not using metadata, add the ACS URL from the Prepare step in Kantega Single Sign-on
  • Note that in this example we use the relative url to the Base url configured in: General Info
  • Press Next

Allowable SAML Bindings

  • Set Redirect as  the Allowable SAML Binding
  • Press Next

Signature Policy

  • You can choose to have the assertion singed or not 
  • Press Next

Encryption Policy

  • Select wether you want the assertion encrypted as well 
  • Encrypted assertions is not covered by this guide
  • Press Next

Protocol Settings Summary

  • Review the Summary
  • Press Done

Protocol Settings

  • You have now completed the Protocol Settings
  • Press Next, then Done

Browser SSO

  • You have now completed the Browser Configuration
  • Press Next

Credentials

  • Select Configure Credentials

Digital Signature Settings

  • Select an already existing certificate or create a new one
  • If you are creating a new certificate, Press Manage Certificates

Manage Digital Sining Certificates

  • Press Create New

Create Certificate
  • Fill the required fields 
  • Choose how long the certificate should be valid
  • Press Done

Create Certificate Summary
  • Review the Summary
  • Press Done

Manage Digital Signing Certificates

  • Make sure the desired certificate is active
  • Press Save

Digital Signature Settings

  • Select Include The Certificate In The Signature <Keyinfo> Element
  • Press Done

Credentials

  • You have now completed Credentials
  • Press Next

Activation and Summary

  • Select Connection Status: Active
  • Press Save

Metadata Export

  • Navigate for Server Configuration
  • Metadata Export

Metadata Mode

  • Select Use A connection For Metadata Generation
  • Press Next

Connection Metadata

  • Select the connection
  • Press Next

Metadata Signing

  • Select the signing certificate
  • Check Include This Certificate's Public Key In The Certificate <Keyinfo> Element
  • Press Next

Export & Summary

  • Export the metadata (Press Export)
  • Press Done

Configuring Kantega Single Sign-on

Prepare

  • In Kantega Single Sign-on, Press Next

Metadata import

  • Select the exported metadta from Ping Federate
  • Press Next

Location

  • Give the IDP a proper name
  • The SSO redirect URL is imported from the metadata


Signature

  • Review the imported signing certificate (This step is purely informatinal)
  • Press Next

Users

  • Select whether users already exist or if you wish to have users automatically created upon login
  • Optionally assign a default group for new users

Testing/configuring the identity provider

After finishing the wizard, you will be sent to the test pages for verification of your setup. Here, you may also perform the last configuration parts. Follow this generic introduction to the test pages and final configuration. AD FS is used as the example here.












  • No labels