Introduction
This guide provides step-by-step instructions on how to add Ping Federate as an identity provider in JIRA using Kantega Single Sign-on.
Context: This setup guides assumes that Kantega SSO in installed as an add-on to your Atlassian product (Jira , Confluence , Bitbucket , Bamboo , or FeCru ).
The setup starts in the Configuration page of the Kantega SSO add-on. This configuration page can be found by pressing "Configure " on "Kantega Single Sign-On (SSO)" in list of installed add-ons.
Adding an SP Connection in Ping Federate Login to the admin console of Ping Federate. Press Create New in IdpConfiguration
Connection Type Select Connection Template: Browser SSO Profiles PROTOCOL SAML 2.0 Press Next
Connection Options Select Browser SSO Press Next
Configuring Kantega Single Sign-on Add identity provider In Kantega Single Sign-on select Any SAML 2.0 Identity Provider
Prepare Copy the metadata URL or download the file
Import Metdata Select the desired metadata import option Press Next
Metadata Summary Review the metadata summary Press Next
General Info Fill in the fields (if not using metadata)Entity ID Connection Name Base URL Press Next
Browser SSO Select Configure Browser SSO Press Next
SAML Profiles Select wheter you want IDP-initated SSO, SP-Initiated SSO or both Press Next
Assertion Lifetime Accept the default assertion lifetime Press Next
Assertion Creation Select Configure Assertion Creation
Identity Mapping Select Standard Identity Mapping Press Next
Attribute Contract This step may be skipped if the user should noe be automatically created in JIRA
Extend the contract with the fields from the table below Press Next Extend the tract: Attribute Name Format email urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified givenName urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified surname urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
Authentication Source Mapping Select Map New Adapter Intance
Adapter Instance Choose your preferred Adapter Instance In this example we create: PingOne HTML Form Adapter Press Next
Mapping Method Select Use Only The Adapter Contract Values In The SAML Assertion Press Next
Attribute Contract Fullfillment Select the values for SAML_SUBJECT, email, givenName and surname Press Next
Issuance criteria Optionally add Issuance Criteria Press Next
IDP Adapter Mapping Summary Review the Summary Press Done
Assertion Creation You have now completed Map New Adapter Instance Select Map New Authentication Policy
Authentication Policy Contract Choose an already existing Authentication Policy Contract or press Manage Authentication Policy Contracts In this example we create a new policy contract
Manage Contracts Select Create New Contract
Contract Info Give the contract a name Press Next
Contract Attributes Extend the contract with the following attributes:
email givenName surname userPrincipalName After adding the attributes, press Next
Authentication Policy Contract Summary Review the Summary Press Done
Authentication Policy Contracts You have now added a new Authentication Policy Contract Press Save
Selecting an Authentication Policy Contract Select the desired Authentication Policy Contract Press Next
Mappping Method Select Use Only The Authentication Policy Contract Values In The SAML Assertion Press Next
Attribute Contract Fullfillment Map the Attribute Contract Attribute to the corresponding Value Press Next
Issuance Criteria Optionally add Issuance Criteria Press Next
Authentication Policy Mapping Summary Review the Summary Press Done
Authentication Source Mapping You have now completed Map New Adapter Instance Map New Authentication Policy Press Next
Assertion Creation Summary Review the Summary Press Done
Assertion Creation You have now completed the Assertion Creation Press Next
Protocol Settings Press Cnfigure Protocol Settings
Assertion Consumer Service URL The Endpoint URL should be automatically filled from the metadata When not using metadata, add the ACS URL from the Prepare step in Kantega Single Sign-on Note that in this example we use the relative url to the Base url configured in: General Info Press Next
Allowable SAML Bindings Set Redirect as the Allowable SAML Binding Press Next
Signature Policy You can choose to have the assertion singed or not Press Next
Encryption Policy Select wether you want the assertion encrypted as well Encrypted assertions is not covered by this guide Press Next
Protocol Settings Summary Review the Summary Press Done
Protocol Settings You have now completed the Protocol Settings Press Next, then Done
Browser SSO You have now completed the Browser Configuration Press Next
Credentials Select Configure Credentials
Digital Signature Settings Select an already existing certificate or create a new one If you are creating a new certificate, Press Manage Certificates
Manage Digital Sining Certificates
Create Certificate Fill the required fields Choose how long the certificate should be valid Press Done
Create Certificate Summary Review the Summary Press Done
Manage Digital Signing Certificates Make sure the desired certificate is active Press Save
Digital Signature Settings Select Include The Certificate In The Signature <Keyinfo> Element Press Done
Credentials You have now completed Credentials Press Next
Activation and Summary Select Connection Status: Active Press Save
Metadata Export Navigate for Server Configuration Metadata Export
Metadata Mode Select Use A connection For Metadata Generation Press Next
Connection Metadata Select the connection Press Next
Metadata Signing Select the signing certificate Check Include This Certificate's Public Key In The Certificate <Keyinfo> Element Press Next
Export & Summary Export the metadata (Press Export) Press Done
Configuring Kantega Single Sign-on Prepare In Kantega Single Sign-on, Press Next
Metadata import Select the exported metadta from Ping Federate Press Next
Location Give the IDP a proper name The SSO redirect URL is imported from the metadata
Signature Review the imported signing certificate (This step is purely informatinal) Press Next
Users Select whether users already exist or if you wish to have users automatically created upon login Optionally assign a default group for new users
Testing/configuring the identity provider After finishing the wizard, you will be sent to the test pages for verification of your setup. Here, you may also perform the last configuration parts. Follow this generic introduction to the test pages and final configuration. AD FS is used as the example here.
