PingIdentity SAML integration guide
This integration guide shows how to set up PingIndentity as a SAML single sign-on provider for your Redis Cloud account.
This guide shows how to configure PingIdentity as a SAML single sign-on identity provider (IdP) for your Redis Cloud account.
To learn more about Redis Cloud support for SAML, see SAML single sign-on.
Step 1: Set up your identity provider (IdP)
Add the redisAccountMapping
attribute
-
Log in into your Ping Identity account. Open Administrators > Identities > User Attributes and select Add Attribute.
-
Select the DECLARED attribute type.
-
Fill in the fields with the following values:
- Name:
redisAccountMapping
- Display name:
redisAccountMapping
- Description:
redisAccountMapping
Select Save and Close. Then, verify that the attribute was created successfully.
- Name:
Add the user who will activate SAML in Service Manager (Redis Cloud)
-
Go to Administrators > Identities > Users and select Add User.
-
Fill in the following information:
- redisAccountMapping:
{accountID}={role}
accountID is the account ID from account settings and role represents the role that the user will be assigned in Redis Cloud console (owner, member, manager, billing_admin, or viewer):
Save and check that the user was added successfully.
- redisAccountMapping:
Create the Ping Identity SAML application
-
Go to Administrators > Connections > Applications and select + to add a new application.
-
Choose a name for the application, select SAML Application Type and select Configure.
-
In the ACS URLs and Entity ID field add for now some dummy data, like https://example.com
- This data will be updated with the correct data in a subsequent step.
Select Save.
-
Go to the Configuration tab and save the following information:
- Issuer ID
- Single Logout Service
- Single Signon Service
This information will be needed once we configure SAML in the Redis Cloud console.
- Select Download Metadata. An XML file will be downloaded. Open it and copy the certificate, which is required for the configuration in Redis Cloud console.
-
Go to the Attribute Mappings tab. Add the following attributes:
- saml_subject
- FirstName
- LastName
- redisAccountMapping
Step 2: Configure SAML support in Redis Cloud
Now that we have our Ping Identity IdP server ready, we need to configure support for SAML in Redis Cloud.
Sign in to Redis Cloud
Sign in to your account on the Redis Cloud console.
Activate SAML in access management
To activate SAML, you must have a local user (or social sign-on user) with the owner role. If you have the correct permissions, you will see the Single Sign-On tab.
-
Fill in the information you copied previously, including:
- Issuer (IdP Entity ID):
Issuer ID
- IdP server URL:
Single Signon Service
- Single logout URL:
Single Logout Service
- Assertion signing certificate: Certificate info you copied from the Ping Identity XML file
Also add:
- Email domain binding: The domain used in your company's email addresses
Select Enable and wait a few seconds for the status to change.
- Issuer (IdP Entity ID):
-
You will then be able to Download the service provider (SP) metadata. Save the file to your local hard disk.
-
Open the file in any text editor. Save the following text from the metadata:
- EntityID: The unique name of the service provider (SP)
- Location: The location of the assertion consumer service
Step 3: Finish SAML configuration in Ping Identity
-
In Ping Identity, go to Administrators > Connections > Applications and select your application name. Select the Configuration tab and select Edit.
This is where we had entered mock data. We will now enter the correct data for this step:
-
Paste EntityID information in the Entity ID field.
-
Paste Location link in the ACS URLS field.
-
For the Sign on URL field, add URL
https://app.redislabs.com/#/login/?idpId=
, where you need to add the ID from the Reply URL ID, for example,https://app.redislabs.com/#/login/?idpId=0oa5pwatz2JfpfCb91d7
.
Select Save.
-
-
Select the slider to enable the app.
Step 4: Return to Redis Cloud console
-
Return to the Redis Cloud console and select Activate.
-
A popup appears, explaining that to test the SAML connection, you need to log in with credentials of a user defined in Ping Federate.
-
The Ping Federate login screen will appear. Enter the credentials and select Sign In.
-
If the test has succeeded, you will see the following screen. Your local account is now considered a SAML account. To log in to Redis Cloud console going forward, select the Sign in with SSO button.
-
In the screen, enter your SAML email and select Login.
You have successfully configured SAML as an identity provider.
IdP-initiated SSO
https://app.redislabs.com/#/login/?idpId=
-
In Ping Identity, go to Administrators > Connections > Applications and select your application name. Select the Configuration tab and select Edit.
-
Go to Target Application URL and enter: https://{enviroment}/#/login/?idpId={idpId}, where idpId is the ID found in the Location field, after the last '/'
-
Select Save.
-
Go to https://apps.pingone.com/{environment}/myapps/#, where environment is the environment ID, found in Administrators -> Environment for your app.
You are redirected to the Redis Cloud console.