How to configure SAML flows using an External Login UI in PingOne

PingOne Advanced Identity Cloud can act as an SP or IDP. This use case focuses on configuration of PingOne Advanced Identity Cloud to act as the Identity Provider.

PingGateway can operate under various personas, offering protection for APIs, microservices, and both modern and legacy applications. PingGateway has even been referred to as a Swiss Army Knife due to its highly configurable nature to meet even the most complex use cases. PingGateway will be protecting an application and act as the SAML SP.

In cases where customers manage their own login page the SDK can be used to traverse the login journeys, get SSO tokens and Access Tokens. We will configure authentication via an external page for this SAML interaction.

While this article combines all of these use cases , they can be met individually and you can plug in both your own SP or IDP should that be required, and use either hosted pages or your own login page.

Log in to your AIC Console and browse to Identities → Manage → Alpha realm — Users then click +New Alpha realm — User.

Creating a new user

Create a new user:

New user example

Now the user is configured, let’s check you can log in by authenticating to the Alpha realm.

Login with new user

 
Because the Enduser UI is enabled and is the default landing page the welcome message is displayed.

Enduser UI Logged in

Login to AIC as a tenant administrator and browse to Native Consoles → Access Management.

AM Native Console

 
In the Access Management console, browse to Applications → Federation → Circles of Trust .

Circles of Trust

Choose a name that suits, this example uses Circle of Trust which has been configured in the above fedlet configuration files. Enter the name and press Create . Leave all other fields as their default.

New Circle of Trust

The service provider details have already been configured in the above sp.xml. This is imported in subsequent steps into AIC as a Remote Service Provider.

Browse to Applications → Federation → Entity providers → Add Entity Provider and select Remote.

Entity Providers

In the New Remote Entity Provider page, drag and drop your sp.xml then select your Circle of Trust and press Create.

New SP Entity

Your SP entity named sp will appear on your list of Entity Providers.

Newly created SP

 
Your SP is now configured, the next task is to configure the IDP.

The following steps configures AIC as the Hosted Identity Provider. Browse to Applications → Federation → Entity Providers → Add Entity Provider → Hosted.

Create hosted IDP

 
Enter openam as the Entity ID and idp as the Identity Provider Meta Alias , and select the correct Circles of Trust , then press Create.

New Hosted Entity Provider

Do the following to add the attributes to your assertion. Firstly configure cn by browsing to your IDP, then to Assertion Processing → Attribute Mapper → Attribute Map . Enter the following and then click Add :

SAML Attribute = cn, Local Attribute = cn

Attribute Mapper

Do the same thing with sn and mail i.e.

SAML Attribute = sn, Local Attribute = sn

After this is completed your Attribute Map will look like this:

Completed Attribute Mapper

Now click Save Changes.

Don’t forget to Save!

You will need to export the IDP settings and provide them to the Service Provider.

Execute the following curl command to export the IDP settings:

curl -v --output idp.xml “https://openam-mytenant.forgerock.io/am/saml2/jsp/exportmetadata.jsp?entityid=openam&realm=/alpha"

 
The idp.xml file will be saved locally, copy this to the fedlet conf directory so the list of files contained look like below:

In the PingGateway configuration directory i.e. /home/fradmin/.openig, create a directory named SAML at the same level as the config folder (Not IN the config folder). Move all the configured fedlet files into this SAML folder i.e.

If you have a config.json file setup, remove the baseURI. The SamlFederationHandler must not be rebased as the URI must match the endpoint in the SAML metadata.

Add a route to pass through css and other resources for your sample application. To do this create a file named static-resources.json with the content below and place this into your routes folder i.e.

Add a saml route to configure the SamlFederationFilter by creating a file named saml-filter.json and placing it in the routes folder i.e.

In this route maps the values returned in the assertion to be stored in PingGateway’s session context, i.e. cn from the assertion is mapped to session.name.

Notice that when the HeaderFilter adds headers x-saml-cn and x-saml-sn to the request they are easily reference by the attribute name in the session context i.e. ${toString(session.name)}.

The filter then allows the ReverseProxyHandler to do it’s job and communicate with the protected application.

Repo containing all the SDK sample apps. Contribute to ForgeRock/sdk-sample-apps development by creating an account on GitHub.

Locate the sdk-sample-apps/blob/main/embedded-login/webpack.config.js file and set the host:

 
The following login page (or similar) should be displayed:

Sample Login Page

If working successfully after logging in you should be presented with the user information.

Successful Login

 
Ensure Login App respects the SAML redirect back to the IDP

Modify (if necessary) the login app to respect the goto URL back to the IDP, i.e.

Inside sdk-sample-apps/blob/main/embedded-login/src/main.js make sure on successful authentication if there is a goto url then proceed there:

Modify the IDP to use the external login app

Browse to the Native Access Management Console, then Applications, Entity Providers then openam. Then browse to the Assertion Processing tab.

IDP login page setup

At the bottom of the page enter the login page URL under Auth URL, in my case https://login.example.com:8443/ then press Save Changes.

Save Changes

The setup should now be complete and is now ready to test!