This detailed guide walks you through configuring SAML authentication for administrators to access the Cloudi-Fi admin console using Ping Identity as an identity provider.
Use case
This guide provides step-by-step instructions to set up SAML authentication for Cloudi-Fi and Ping Identity administrators.
Prerequisites
SAML for Administrators URLs
For context, in this SAML authentication use case, Cloudi-Fi acts as the SP (Service Provider) and Ping Identity as the IdP (Identity Provider). The IdP will authenticate and redirect users back to the SP.
To set up a SAML application in Ping Identity, you will need the entity ID of the Service Provider (Cloudi-Fi)
-
Log into the Cloudi-Fi Admin Console
-
Navigate to "Settings" > "Auth modes" > "SAML for Administrators"
- Collect the necessary information:
Cloudi-Fi Entity ID
https://admin.cloudi-fi.net
Linkback URL
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
- ***** is your Cloudi-fi public key (Can be found in Cloudi-fi Admin interface > Settings > Company Account)
You can copy the Linkback URL with the public key attached directly from the 'SAML for Administrators' page on Cloudi-Fi's admin console. This page is where you will insert the information you will gather from Ping Identity in section 2:
1. Create a SAML application on Ping Identity
Login to the Ping Identity console and navigate to Applications and select the + sign to add a new application.
Fill in the essential details of your SAML application and click Configure:
- Application Name: Choose a distinctive name that resonates with your SAML app's functionality.
- Description: An optional description of your application's purpose or functionality.
- Application Type: choose SAML Application.
In the next page, choose "Manually Enter" and fill in the URLs you collected in the prerequisites section:
- ACS URLs: This term matches the Linkback URL you copied from Cloudi-Fi's SAML page in the prerequisites section.
- Entity ID: https://admin.cloudi-fi.net - note that https://admin.cloudi-fi.net/ results in an error, so make sure to drop the forward slash (last character).
Congrats, your SAML application is now set up on Ping Identity. You must now get the information you need from your application (section 2) and fill it in Cloudi-Fi's Admin Console (section 3).
2. Collect the necessary information from your SAML application
First, turn on the application and navigate to the 'Configuration' tab.
Copy the fields:
-
- Issuer ID (will match IdP EntityId on Cloudi-Fi end).
- Single Signon Service (will match IdP Endpoint on Cloudi-Fi end).
Download the Signing Certificate X509 PEM file containing all the necessary SAML details.
Open the file with a text editor of your choice and copy the certificate without BEGIN CERTIFICATE and END CERTIFICATE parts.
Alternatively, you can download the metadata file, which contains all the necessary SAML details you have gathered so far:
- Issuer ID
- Single Signon Service
- Signing Certificate
The last action to take on the Ping Identity end is to map the attribute to an email address, as admins will use Ping Identity to authenticate using their email addresses.
Map the attribute "saml_object" to "Email Address" under PingOne Mappings and click 'Save'.
3. Terminology Mapping Between Ping Identity and Cloudi-Fi
This table provides a side-by-side comparison of key terms as they are named in two different systems, highlighting their equivalent functionalities.
Attribute Name in Ping Identity | Attribute Name in Cloudi-Fi | Details |
ACS URLs | Linkback URL |
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/<company_APIkey> |
Issuer ID |
IdP EntityId |
https://auth.pingone.eu/****** |
Entity ID |
Entity ID |
https://admin.cloudi-fi.net/ |
Single Signon Service |
IdP Endpoint |
https://auth.pingone.eu/******/saml20/idp/sso |
Signing Certificate |
IdP Signing Certificate |
|
Attribute Mapping | Email attribute name |
saml_subject mapped to Email Address |
Attribute Mapping (for auto-provisioning) | SAML Profile Attribute |
admin_profile mapped to Group Name |
4. Configure Cloudi-Fi's Admin Console
On Cloudi-Fi's Admin Console navigate to Settings > Auth modes > SAML for Administrators.
Enter the necessary SAML details gathered from Ping Identity:
-
- IdP EntityId on Cloudi-Fi = Issuer ID on Ping Identity
- IdP Endpoint on Cloudi-Fi = Single Signon Service on Ping Identity.
- IdP Signing Certificate: Enter the X.509 Certificate details, excluding "Begin Certificate" and "End Certificate" markers.
- Email attribute name: Enter the exact match text saml_subject, this is the attribute you mapped to an email address in the previous step.
Finally, click Save.
Congrats! Your administrators can now authenticate using Ping Identity SAML authentication when they log into Cloudi-Fi's Admin Console.
5. Enable Administrator auto-provisioning (Optional)
Enabling automatic administrator provisioning enables administrators to be assigned a Cloudi-Fi profile based on the Ping Identity group to which they belong.
Option 1: Create new groups on Ping Identity with names identical to those in the Cloudi-Fi administrator profiles. The matching Cloudi-Fi profile with the same name will be used.
Option 2: Utilize existing Ping Identity groups. This will create new profiles on the Cloudi-Fi side with limited permissions. You will need to manually modify the permissions of the administrator profiles on the Cloudi-Fi’s Admin Console.
To configure auto-provisioning on Ping Identity:
- Navigate to Directory > Groups and create groups that exactly match the names of your admin profiles on Cloudi-Fi (option one above):
- Now, you will need to modify the attribute mapping of the SAML application again to match a group name to an admin profile on Cloudi-Fi. Navigate to the application > Attribute Mapping > Edit Pencil.
- Name the attribute "admin_profile", and map it to "Group Names":
Then, In the same SAML configuration from step 3 on Cloudi-Fi end, enable "Administrator auto-provisioning".
- SAML Profile Attribute: admin_profile
- Default profile: Choose the default profile you would want to assign to admins who are not part of any group in Ping Identity. Admins who do belong to a group on Ping Identity will be assigned the profile matching their group name.
Troubleshooting
Ping Identity error message
A administrators access the admin console, then redirected to Ping Identity authentication Page. The admin fills out the necessary information to get authenticated and Sign-in. Then the admin is redirected to a Ping Identity Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)