Menu

Single Sign-On (SSO) Integration with Ping Federate

Overview

qTest Manager offers an integration with Ping Federate SSO. In this article, we are going to walk through how to set up this integration.

IMPORTANT: This article walks through setting up an integration between qTest and Ping Federate 9.2.11 OnPremise version. The UI and workflow may be different if integrating qTest and a different version of Ping Federate.

Create a New Connection

Before configuring your integration, you will need to create a brand new connection from within Ping Federate. To do so, follow these steps:

  1. Access your Ping Federate instance.
  2. Choose the Identity Provider tab from the left-hand menu.
  3. On the "Identity Provider" page, select the Create New icon.
    create_new_connection_ping.png

You are then brought to the Connection Configuration UI. Follow these steps to properly configure and create your new connection:

  1. For Connection Type and Connection Options, retain the default settings.
    retain_default_settings.png
  2. Within the Import Metadata tab, select URL for the "METADATA" option. 
  3. Select Manage Partner Data URLs.
    manage_partner_data_urls.png

You will then be brought to the "SP Connection / Partner Metadata" page to manage your Partner Data URLs.

Manage your Partner Data URLs

  1. Select the Add New URL icon.
    add_new_url.png
  2. Within the URL tab, do the following:
    • enter your qTest Metadata link in the URL field.
    • select the Validate Metadata Signature.
      url_settings.png
  3. Keep the "Certificate Summary" section as is. Select Next.
  4. Verify your Summary and select Done.
  5. You are brought back to the SP Connection page. Here, in the Import Metadata tab, select the metadata file name that you have already defined.
  6. Select the Load Metadata icon.mceclip0.png
  7. Review your Metadata information, and select FULL as your Logging Mode. 
    Select Next.

Configure Your Browser SSO

You are then brought to the Browser SSO tab. Follow the steps below to configure your Broswer SSO:

  1. Select the Configure Browser SSO icon.
    mceclip0.png
  2. In the Assertion Lifetime tab, select the check-boxes associated with both IDP- and SP-Initiated SSO. Select Next.
    mceclip1.png
  3. Define your assertion lifetime as according to your internal policies. Select Next.
  4. In the Assertion Creation tab, select the Configure Assertion Creation icon.
    mceclip2.png
  5. On the "Assertion Creation" page, select the Standard Option. 
    mceclip3.png
  6. Add attributes as defined below:
    mceclip4.png
  7. Select Next.

You will then need to Map your Adapter instance. To do so, follow the steps below:

  1. In the Authentication Source Mapping tab, select the Map New Adapter Instance icon.
    mceclip5.png
  2. Choose a defined Adapter instance with your LDAP. Select Next.
    mceclip6.png
  3. In the Mapping Method tab, choose the Use Only the Adapter Contract values in the SAML Assertion option
    mceclip7.png
  4. Within the Attribute Contract Fulfillment tab, define your attributes as follows:
    mceclip8.png
  5. Skip the Issuance Criteria by selecting Next.
  6. Review your IdP Adapter Mapping. Select Done.
    mceclip10.png
  7. You are brought back to the Activation Source Mapping tab. Here, select Next to review your summary.
  8. After reviewing your summary, select Done.
    mceclip9.png
  9. Review your Assertion Creation and select Next. 
    mceclip12.png

Configure Protocol Settings

You will then have to configure your Protocol Settings. Follow these steps:

  1. Review your Protocol Settings. Select Next.  
    mceclip13.png
  2. Select Next again.
    (31)
  3. Define your Remote Party URL as the following:
    /SAML2/ARL/Artifact
    mceclip14.png
  4. In the Signature Policy tab, choose Sign Response as Required. Select Next.
    mceclip15.png
  5. For the Encryption Policy, select None.
    mceclip16.png
  6. Review your Protocol Settings Summary and select Done when finished.

Define your Credentials

Next, you will need to define your Credentials. Follow the steps as outlined below:

  1. In the Credentials tab, choose the Configure Credentials icon.
    mceclip17.png
  2. Configure both options for Back-Channel Authentication.
    mceclip18.png
  3. Select Digital Signature for both Outbound and Inbound SOAP.
    mceclip19.png
    mceclip20.png
  4. Select Next.
  5. In the Digital Signature Settings tab, choose the following for your Signing Certificate and Signing Algorithm
    mceclip21.png
  6. In the Signature Verification Settings tab, select Manage Signature Verification Settings.
    mceclip22.png
  7. Select the Unanchored option for your Certificate.
    mceclip23.png
    mceclip24.png
  8. Review your Signature Verification and select Done.
  9. Then, enable and save the newly created SP Connection.
    mceclip25.png

Metadata Export

Now that you have configured your integration, you can export your Metadata to qTest. To do so, follow the steps as outlined below:

  1. Access your System Settings and choose Metadata Export.
    mceclip26.png
  2. Within the Metadata Role tab, select I am the IDP. Select Next.
    mceclip27.png
  3. Select Use a connection for Metadata Generation. Select Next
    mceclip28.png
  4. In the Connection Metadata tab, Select the SP connection you create with qTest. Select Next.
    mceclip29.png
  5. Select Signing Certificate. Select Next.
    mceclip30.png
  6. Review and Export Metadata file from Ping.
    mceclip31.png

Add Metadata to qTest

Once you have downloaded your Ping Metadata, you will need to upload that file to qTest. To do so, follow these steps:

  1. in qTest Manager, select Administration from your username drop-down menu.
  2. Select the Authentication tab.
  3. In the left-hand nav menu, SSO.
  4. In the Configuration section, upload your Ping Metadata file.mceclip32.png
  5. Toggle the Activation Status to ON.
  6. Save and Refresh your page.

You have now successfully configured your integration between qTest and Ping Federate.

 

 

Powered by Zendesk