Follow the steps documented below to integrate your Rafay and PingOne Organization for Single Sign On (SSO).
Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.
Step 1: Create IdP in Rafay¶
- Login into the Rafay Console as an Organization Admin.
- Click on System > Identity Providers
- Click on "New Identity Provider"
- Provide a Name, select "Ping" from the drop down
Enter the "Domain" for which you would like to enable SSO
Optionally, toggle "Encrypted SAML Assertion" if you wish to have SAML assertions encrypted
- Provide a "Group Attribute Name" for the name of group attribute statement in SAML Assertions to map to the Group with assigned roles in Rafay's console
- Click on Save & Continue
Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Rafay) can decrypt the SAML assertion.
Step 2: View SP Details in Rafay¶
The Rafay IdP configuration wizard will display critical information that you need to copy/paste into your PingOne SAML application . Provide the following information to your PingOne administrator.
- Assertion Consumer Service (ACS) URL
- SP Entity ID
- NameID Format
- Encryption Certificate (if Encrypted SAML Assertion enabled)
- Group Attribute Statement Name
- Consumer Binding
- Click on Save & Continue to go to Metadata Configuration page
Step 3: Create Rafay Application in PingOne¶
- Login into your PingOne as an Administrator
- Go to Applications > My Applications > SAML
- Click Add Application and select New SAML Application
Step 4: Configure Application Details in PingOne¶
In the Application Details page:
- Enter "Rafay Systems" for the application name
- Upload the Rafay Logo
- Click Continue to Next Step
Step 5: Configure SAML Application in PingOne¶
In the Application Configuration Page:
- Select "SAML v 2.0" for Protocol Version
- Copy/Paste the Rafay Assertion Consumer Service URL from Step 2 into the "Assertion Consumer Service (ACS)"
- Copy/Paste the SP Entity ID from Step 2 into the "Entity ID"
If Encrypted SAML Assertion is enabled in Step 1,
- Enable "Encrypt Assertion"
- Upload the downloaded Encryption Certificate in Step 2 to "Encryption Certificate"
- Click Continue to Next Step
Step 6: Configure SSO Attribute Mapping for Group in PingOne¶
In SSO Attribute Mapping page:
- Provide the Group Attribute Statement Name value from Step 2 for the "Application Attribute"
- Select "memberOf" from "Identity Bridge Attribute or Literal Value" list
The SSO Attribute Mapping configuration step for Groups is critical because it will ensure that PingOne will send the groups the user belongs to as part of the SSO process. Rafay uses the group information to transparently map users to the correct group/role. In the illustrative example below, we are using "RafayRole" as the name of the group attribute statement.
Step 7: Configure SSO Attribute Mapping for sending user's email as NameID in PingOne¶
Rafay's SSO works with only the email address format for the users in NameID of the SAML Subject. In PingOne, make sure to configure SAML Subject to use Email in the SSO Attribute Mapping page:
- Add a new attribute
- Provide "SAML_SUBJECT" for the "Application Attribute"
- Select "Email" from "Identity Bridge Attribute or Literal Value" list
- Click Continue to Next Step to to to Group Access Page
Step 8: Assign Groups to Rafay Application in PingOne¶
In Group Access page:
- Search and Add the groups that you would like the users to have access to Rafay Console
- Click Continue to Next Step to Review setup
In the example above, the PingOne group "SystemAdmins" has been assigned to the Rafay application in PingOne. Multiple PingOne users can be added/removed from this group.
An identical named group needs to be created on Rafay. Ensure that this group is mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "SystemAdmins" is configured as an "Organization Admin" with access to all Projects.
It is important to emphasize that because of SSO via PingOne, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "SystemAdmins" group because they are all managed in the attached PingOne Org.
Step 9: Specify IdP Metadata URL in Rafay¶
In PingOne Review setup page:
- Save the SAML Metadata URL to configure in Rafay Console at next step
- Click Finish to complete the settings in PingOne
- Navigate back to the Rafay Console's IdP Metadata Configuration page
- Paste the SAML Metadata URL from PingOne to the Metadata Url textbox
- SAVE the IdP Settings