ContextQMD
Back to Redis

Saml Integration Ping Identity

content/operate/rc/security/access-control/saml-sso/saml-integration-ping-identity.md

latest7.2 KB
Original Source

This guide shows how to configure PingIdentity as a SAML single sign-on identity provider (IdP) for your Redis Cloud account.

To learn more about Redis Cloud support for SAML, see [SAML single sign-on]({{< relref "/operate/rc/security/access-control/saml-sso" >}}).

Before completing this guide, you must [verify ownership of any domains]({{< relref "/operate/rc/security/access-control/saml-sso#verify-domain" >}}) you want to associate with your SAML setup.

Step 1: Set up your identity provider (IdP)

Add the redisAccountMapping attribute

  1. Log in into your Ping Identity account. Open Administrators > Identities > User Attributes and select Add Attribute.

    {{<image filename="images/rc/saml/ping_identity_saml_1.png" >}}

  2. Select the DECLARED attribute type.

    {{<image filename="images/rc/saml/ping_identity_saml_2.png" >}}

  3. Fill in the fields with the following values:

    • Name: redisAccountMapping
    • Display name: redisAccountMapping
    • Description: redisAccountMapping

    {{<image filename="images/rc/saml/ping_identity_saml_3.png" >}}

    Select Save and Close. Then, verify that the attribute was created successfully.

    {{<image filename="images/rc/saml/ping_identity_saml_4.png" >}}

Add the user who will activate SAML in Service Manager (Redis Cloud)

  1. Go to Administrators > Identities > Users and select Add User.

    {{<image filename="images/rc/saml/ping_identity_saml_5.png" >}}

  2. Fill in the following information:

    • redisAccountMapping: {accountID}={role}

    accountID is the account ID from [account settings]({{< relref "/operate/rc/accounts/account-settings" >}}) and role represents the role that the user will be assigned in Redis Cloud console (owner, member, manager, billing_admin, or viewer):

    {{<image filename="images/rc/saml/ping_identity_saml_6.png" >}}

    Save and check that the user was added successfully.

Create the Ping Identity SAML application

  1. Go to Administrators > Connections > Applications and select + to add a new application.

    {{<image filename="images/rc/saml/ping_identity_saml_7.png" >}}

  2. Choose a name for the application, select SAML Application Type and select Configure.

    {{<image filename="images/rc/saml/ping_identity_saml_8.png" >}}

  3. In the ACS URLs and Entity ID field add for now some dummy data, like https://example.com

    • This data will be updated with the correct data in a subsequent step.

    {{<image filename="images/rc/saml/ping_identity_saml_9.png" >}}

    Select Save.

  4. Go to the Configuration tab and save the following information:

    • Issuer ID
    • Single Logout Service
    • Single Signon Service

    This information will be needed once we configure SAML in the Redis Cloud console.

    • Select Download Metadata. An XML file will be downloaded. Open it and copy the certificate, which is required for the configuration in Redis Cloud console.

    {{<image filename="images/rc/saml/ping_identity_saml_10.png" >}}

  5. Go to the Attribute Mappings tab. Add the following attributes:

    • saml_subject
    • Email
    • FirstName
    • LastName
    • redisAccountMapping

    {{<image filename="images/rc/saml/ping_identity_saml_11.png" >}}

Step 2: Configure SAML support in Redis Cloud

Now that we have our Ping Identity IdP server ready, we need to configure support for SAML in Redis Cloud.

Sign in to Redis Cloud

Sign in to your account on the Redis Cloud console.

Activate SAML in access management

To activate SAML, you must have a local user (or social sign-on user) with the owner role. If you have the correct permissions, you will see the Single Sign-On tab.

  1. Fill in the information you copied previously, including:

    • Issuer (IdP Entity ID): Issuer ID
    • IdP server URL: Single Signon Service
    • Single logout URL: Single Logout Service
    • Assertion signing certificate: Certificate info you copied from the Ping Identity XML file

    Also add:

    • Email domain binding: The domain used in your company's email addresses

    {{<image filename="images/rc/saml/sm_saml_1.png" >}}

    Select Enable and wait a few seconds for the status to change.

  2. You will then be able to Download the service provider (SP) metadata. Save the file to your local hard disk.

    {{<image filename="images/rc/saml/sm_saml_3.png" >}}

  3. Open the file in any text editor. Save the following text from the metadata:

    • EntityID: The unique name of the service provider (SP)

    {{<image filename="images/rc/saml/sm_saml_4.png" >}}

    • Location: The location of the assertion consumer service

    {{<image filename="images/rc/saml/sm_saml_5.png" >}}

Step 3: Finish SAML configuration in Ping Identity

  1. In Ping Identity, go to Administrators > Connections > Applications and select your application name. Select the Configuration tab and select Edit.

    This is where we had entered mock data. We will now enter the correct data for this step:

    • Paste EntityID information in the Entity ID field.

    • Paste Location link in the ACS URLS field.

    • For the Sign on URL field, add URL https://cloud.redis.io/#/login/?idpId=, where you need to add the ID from the Reply URL ID, for example, https://cloud.redis.io/#/login/?idpId=0oa5pwatz2JfpfCb91d7.

    Select Save.

    {{<image filename="images/rc/saml/ping_identity_saml_13.png" >}}

  2. Select the slider to enable the app.

    {{<image filename="images/rc/saml/ping_identity_saml_14.png" >}}

Step 4: Return to Redis Cloud console

  1. Return to the Redis Cloud console and select Activate.

    {{<image filename="images/rc/saml/sm_saml_8.png" >}}

  2. A popup appears, explaining that to test the SAML connection, you need to log in with credentials of a user defined in Ping Federate. Select Continue to go to the Ping Federate login screen.

  3. The Ping Federate login screen will appear. Enter the credentials and select Sign In.

    {{<image filename="images/rc/saml/ping_identity_saml_20.png" >}}

If everything is configured correctly, you will see the the Redis Cloud console screen. Your local account is now considered a SAML account.

To log in to the Redis Cloud console from now on, click on Sign in with SSO.

{{<image filename="images/rc/button-sign-in-sso.png" width="50px" alt="Sign in with SSO button">}}

IdP-initiated SSO

https://cloud.redis.io/#/login/?idpId=

  1. In Ping Identity, go to Administrators > Connections > Applications and select your application name. Select the Configuration tab and select Edit.

  2. Go to Target Application URL and enter: https://{enviroment}/#/login/?idpId={idpId}, where idpId is the ID found in the Location field, after the last '/'

  3. Select Save.

    {{<image filename="images/rc/saml/ping_identity_saml_16.png" >}}

  4. Go to https://apps.pingone.com/{environment}/myapps/#, where environment is the environment ID, found in Administrators -> Environment for your app.

    {{<image filename="images/rc/saml/ping_identity_saml_17.png" >}}

    You are redirected to the Redis Cloud console.