Avi Vantage Integration with PingFederate

An Avi virtual service’s ability to act as a service provider is key to support of Security Assertion Markup Language (SAML), starting with release 18.2.2. To fulfill this role, the Avi virtual service sends authentication requests to an identity provider (IDP), responses from which govern user access to back-end applications running in Avi pools. Multiple third-party integrations have been implemented by Avi Networks to give customers a choice of IDP. This article outlines the steps necessary to enable PingFederate as IDP.

Avi as SP and PingFederate as IDP

Configuring PingFederate as IDP

You need to create a new adapter instance by using the following steps.

1. On the PingFederate Dashboard, go to IdP Configuration and click on Adapters under Application Integration.

   <>br>

2. Under Manage IdP Adapter Instances, click on Create New Instance.

3. On the Type tab, enter an Instance Name and Instance ID as shown below and click on Next.

   
   

4. On the IdP Adapter tab, click on Add a new row to ‘Credential Validators’ to define a credential authentication.

   
   

5. Select a Password Credential Validator Instance and click on Update.

   
   

6. On the Extended Contract screen, click on Next.

   
   

7. On the Adapter Attributes tab, select the username checkbox under Pseudonym and other attributes, if available, and click on Next.

   
   

8. On the Adapter Contract Mapping tab, click on Next, verify the summary, and click on Done.

Adding the SP details

1. Login to the PingFederate management console, navigate to IdP Configuration > SP Connections and click on Create New.

2. On the Connection Type tab, click on Next.

   
   

3. On the Connections Options tab, click on Next.

   
   

4. On the Metadata URL screen, click on Next.

5. On the General Info tab, enter the information as shown below and click on Next.

   
   

6. On the Browser SSO tab, click on Configure Browser SSO, choose the SP-initiated SSO option on the next screen and click on Save.

   

   
   

7. On the Assertion Lifetime screen, click on Next.

8. On the Assertion Creation screen, click on Configure Assertion Creation.

   
   

9. On the Identity Mapping screen, choose STANDARD and click on Next.

   
   

10. On the Attribute Contract screen, you can choose the default contract or use the option to add custom user attributes in the assertion. Click on Next.

    
    

11. On the Authentication Source Mapping screen, click on Map New Adapter Instance.

    
    

12. On the Adapter Instance screen, chose the adapter instance.

    
    

13. Click on Next.

14. Click the third option if you do not want additional attributes.

    Note: Skip Steps 14 to 16 if you want additional attributes and proceed directly to step 17.

    

15. On Attribute Contract Fulfillment screen choose the details and click on Next.

    
    

16. Click Next on the Issuance Criteria screen, review the summary and click on Done.

17. (If no attribute lookup is required, skip the next steps and proceed to step 23).
    If you want additional attributes, chose the second option on Mapping Method Screen instead of the third as mentioned in step 14 and click on Next.

    
    

18. On the Attribute Sources & User Lookup screen, click on Add Attribute Source.

    
    

19. Select your data store on the next screen or click on Manage Data Stores to add a new one.
    
    

20. Add a new one, if you do not have an existing source.

    
    

21. Once the data store is added, click on Next on Database table and Columns screen after choosing the required columns / On Database filter screen, you can add the filters using the where clause. Once it is added, click on Next.

22. On Attribute Contract Fulfillment screen chose the details and click Next. Click Next on the Issuance Criteria screen, review the summary, and click on Done.

    
    

23. Then the Authentication Source Mapping screen will appear; click on Next. It will take you to the Summary page. Click on Done.

    
    
    

24. The Assertion Creation screen will reappear. Click on Next. In the Protocol Settings section, click on Configure Protocol Settings.

    
    

25. On the Assertion Consumer Service URL screen, enter the Endpoint URL.

    
    

26. On the Allowable SAML Bindings tab, select the binding for communication from SP to IDP, which should be REDIRECT.

    
    

27. On the Signature Policy screen; then click on Next.

    
    

28. On the Encryption Policy screen; then click on Next.

    
    

29. If the summary looks OK, click on Done. The Protocol Settings screen will reappear; click on Next. Review the summary and click on Next.

    
    

30. The Browser SSO tab will reappear; click on Next.

    
    

31. Under Credentials, click on Configure Credentials.

32. On the Digital Signature screen. Select the signing certificate and click on Next.
    Check the Summary and click on Save.

    
    

33. The Credentials page will reappear. click on Next.
    Validate the rest of the configuration, and click on Save.

    The configuration is complete. Metadata can be downloaded using following steps:
    

    • Click on Identity Provider; it will take you to the Console.

    • Click on Manage All under SP Connections.

      
      

    • Click on Select Action for the one you want to download metadata and click on Export Metadata.

      
      

    • On the next screen, chose signing certificate and Click on Next.

      
      

    • Click on Export and then click on Done.
      
      This completes the process of creating an application on PingFederate.
      
      Once configuration is complete on PingFederate, configure an Avi virtual service to act as service provider by following the instructions given in SAML Configuration on Avi Vantage article.