Configuring SAML Authentication with PingOne as IdP (4231805)

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

Configuring SAML Authentication with PingOne as IdP
Description

This article describes the process of setting up SAML on the Kace SMA with PingOne as the identity provider.
Resolution
The steps described below show the settings required to be configured within Kace and PingOne in order for the SAML authentication can be established.
In this example the PinOne authentication is made by LDAP so we will be working with LDAP attributes.
Enable Kace SAML Feature
1. Go to Settings | Control Panel | SAML Settings
2. Enable SAML service Provider.
3. Leave "IdP Does Not Support Passive Authentication" unchecked.
Start PingOne application setup for Kace
1. Go to Applications
2. Select new SAML application
3. Fulfill the initial Application information and click Next.
4. Download the PingOne SAML Metadata.
5. Set Protocol Version to "SAML v 2.0".
Back to Kace: Import PingOne IdP metadata information in Kace.
1. Click on Enter XML Metadata.
2. Copy the XML content from the donwloaded PingOne SAML Metadata file.
3. Click on Import IdP Metadata.
4. All the IdP urls info should be fulfilled.
Import the Kace Local Service Provider (SP) metadata in PingOne
1. In the Kace "Local Service Provider (SP) Settings" section click on View Metadata.
2. Copy the SP Entity Identifier (uri).
3. Go to the Entity Identifier (uri) URL and Save the content in a XML file.
4. In PingOne click on "Select file" and upload the Kace Metadata XML files.
5. The Kace SP info should be fulfilled.
6. Select "Redirect" option.
7. Force Re-authentication Unchecked.
8. Click Continue to Next Step.
Configure SSO Attribute Mapping in PingOne.
1. In this example we are going to map the following attributes:
Application Attribute   Identity Bridge Attribute or Literal Value
Login                                                             sAMAccountName
Email                                                             mail
Name                                                             displayName
UID                                                                objectGUID
SAML_SUBJECT                                          SAML_SUBJECT
Group                                                            memberOf

Note: SAML_SUBJECT is a PingOne system variable which maps to NameID in SAMLResponse.
Set the compatible NameID Format for SAML_SUBJECT with Kace.
1. Click Advanced for SAML_SUBJECT attribute.
2. Select the format required by the Kace application, in this example "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" from Name ID Format to request from IdP drop-down list.
3. Select the format required by the Kace application, in this example "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" from Name ID Format to send to SP drop-down list.
4. Click Save.
5. Click Continue to Next Step.
Group Access
1. Select all user groups that should have access to this application.
2. In this example we are going to select to groups:
  Training: This Group will have "user console only" Role access to Kace.
  TrainingB: This Group will have Admin Role access to Kace.
3. Click Continue to Next Step.
4. Confirm the summary information and click Finish.
Back in Kace: Set the attribute Mappings created in PingOne in the required fields.
1. In the IdP Attribute Mappings section select the "Use SAML" Option.
2. Paste the attibute names created in Ping One as follows:
  Attribute in Kace                                               Named Attribute in PingOne
  UID (Optional in 10.1 / Required in 10.0)   UID
  Login                                                                         Login
  Name                                                                        Name
  Primary Email Email
3. Set the Role Mapp
  Role Named Attribute in PingOne Value (Distinguished name of the Group)
  Administrator Group CN=TrainingB,CN=Users,DC=JSantam,DC=com
  User Console Only Group CN=Training,CN=Users,DC=JSantam,DC=com
  
  Default Role for Unmatched Users: No Access
4. Save Settings.
Troubleshooting
If instructions above were followed, and login is still unavailable to the Kace SMA with IdP using SAML.
Attributes SAML sent to the SMA when using chrome with the SAML Chrome Panel extension can be seen. This allows to go to developer tools (F12) and get a SAML section.
1. Go to Settings | SAML Settings.
2. Scroll down to Local Service Provider (SP) Settings.
3. Select “View Metadata”.
4. If SSL is neabled in Kace make sure that SP Entity Identifier (Uri), SP Assertion Consumer Service (URL), and SP SLO Endpoint (URL) are "secure" (https://). Modify the links on the SMA, just add the “s” manually and save the changes. All these URLs must be in lower case (On the Kace SMA and PingOne). Any upper case on the link could cause issues.
5. Make sure the ACS URL in pingOne information coincides with the SP Assertion Consumer Service (url).
6. Make sure that the entityId in PingOne information coincides with the SP Entity Identifier (uri) in Kace.
7. Verify what attributes are been sent from de IdP to the Kace SMA.
8. If all the attributes match, confirm that the client SMA time zone matches the user time zone.
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en
.