icon-risk360.svg
Risk360

SAML Configuration Guide for PingFederate

This guide illustrates how to configure Ping Identity's PingFederate server as the identity provider (IdP) for Risk360.

Risk360 currently only supports IdP-initiated SSO.

Prerequisites

Ensure that you have the following before you start configuring PingFederate as your IdP:

  • PingFederate Admin Account
  • To download the Zscaler Internet Access Connector:

    1. Go to the PingFederate Server Add-Ons page.
    2. Under SaaS Connectors, download Zscaler Internet Access Connector 1.1.

    3. Unzip the connector folder to extract the pf-zscaler-zia-quickconnection-1.1.jar file.
    4. Add the pf-zscaler-zia-quickconnection-1.1.jar file to the PingFederate > Server > default > deploy folder.
    Close
  • To export your PingFederate signing certificate on the PingFederate admin console:

    1. Log in to your PingFederate administrative console.
    2. Go to Security > Signing & Decryption Keys & Certificates.

    3. Click Select Action on the certificate you want to use.
    4. Click Export.

    5. On the Export Certificate tab, click Next.

    6. On the Export & Summary tab, click Export.

    7. Rename the downloaded certificate's extension to .pem.
    8. Save this certificate for when you are ready to add PingFederate as an IdP in Risk360.
    Close
  • When configuring IdPs, the following information might be required for Risk360:

    • ACS URL for Risk360 cloud:
    https://admin.zscalerrisk.net/idp-auth
    
    • Download the SAML SSL certificate from the IdP. It must be in Base64-encoded PEM format.
    • Entity ID for Risk360 cloud:
    admin.zscalerrisk.net
    

    If you have a domain defined on multiple Zscaler Internet Access (ZIA) clouds, enter the ZIA cloud name that is associated with Risk360 in the Relay State field (e.g., zscalertwo.net) for each application.

    You must also create admin accounts for your organization's admins. To learn more, see Adding Risk360 Admins.

    Close
  • To download the XML Metadata from the Risk360 Admin Portal:

    1. Sign in to the Risk360 Admin Portal.
    2. Go to Administration > Administrator Management > Administrator Management.
    3. Click Download.

    Remember where you saved the metadata as you will upload it for creating a service provider (SP) connection.

    To learn more, see Configuring SAML for Risk360 Admins.

    Close

Configuring SAML SSO on Zscaler Services

You need to register PingFederate as an IdP in Zscaler services for SAML Single Sign-On (SSO).

To add PingFederate as an IdP in Risk360:

  1. If you haven't renamed your certificate from the prerequisites step, rename your certificate's extension to .pem.
  2. Upload your IdP signing certificate as described in Configuring SAML SSO for Risk360 Admin.
  3. Click Save.

Configuring a Service Provider Connection on PingFederate

To configure a service provider (SP) connection on the PingFederate administrative console:

  1. Verify the SAML 2.0 entity ID:
    1. Go to System > Server > Protocol Settings > Federation Info.
    2. In the SAML 2.0 Entity ID field, enter a name for PingFederate to use when SAML applications need to identify it.
    3. Click Save.
  2. Create an SP connection:
    1. Use the SP Connections shortcut or go to Applications > Integration > SP Connections.
    2. Click Create Connection.

    3. In the Create Connection wizard, configure the following sections:
        1. Select Use a template for this connection.
        2. For Connection Template, select Zscaler ZIA Connector.
        3. For Metadata File, upload your metadata file.
        4. Click Next.

        SP Connection Connection Template

        Close
      • Ensure the Browser SSO Profiles checkbox is selected, then click Next.

        SP Connection Connection Type

        Close
      • Ensure the Browser SSO checkbox is selected, then click Next.

        Connection Options

        Close
        • Partner's Entity ID (Connection ID): Verify the partner's entity ID.
        • Connection Name: Enter a connection name. This might be pre-populated and can be revised to your preference.
        • Base URL: Verify the base URL. You must append :443 to the end of your base URL.

          For example, if your base URL is https://login.zscaler.net, then your new base URL is https://login.zscaler.net:443

        • Click Next.

        Configure General Info

        Close
        1. On the Browser SSO page, click Configure Browser SSO.
        2. On the Assertion Creation page, click Configure Assertion Creation.
        3. On the Authentication Source Mapping page, click Map New Authentication Policy.
        4. On the Authentication Policy Contract tab, select subject for the Authentication Policy Contract field.

          This allows the authentication to be connected to policies. If required, you can configure the contract attribute that is applicable to you.

        5. Click Next.

        6. On the Mapping Method page, select Retrieve Additional Attributes from a data store -- includes options to use alternate data stores and/or a failsafe mapping.
        7. Click Next.

        8. On the Attribute Sources & User Lookup tab, click Add Attribute Source.
        9. On the Data Store page:
          • Attribute Source Description: Enter a description for the Attribute Source.
          • Active Data Store: Select PingDirectory.
        10. Click Next.

        11. On the LDAP Directory Search page:

          • Base DN: Enter ou=Zscaler Users,dc=example,dc=com.
          • Search Scope: Select Subtree from the drop-down menu.
          • Attributes to return from the search:
            • Root Object Class: Select <Show All Attributes>.
            • Attribute: Select mail.
            • After mail is added, click Add Attribute next to it.

        12. Click Next.
        13. On the LDAP Filter page, for the Filter field, enter uid=${subject}.
        14. Click Next.

        15. On the Attribute Contract Fulfillment page:
          • SAML_Subject: Select LDAP (pd).
          • Value: Select mail.
        16. Click Next.

        17. On the Summary page, click Done after you verify your attribute source configuration.
        18. On the Attribute Sources & User Lookup page, click Next after you verify your data store to supply user information in the SAML assertion to the SP.

        19. On the Failsafe Attribute Source page, select Abort the SSO Transaction.\
        20. Click Next.

        21. Click Done after reviewing your Authentication Source Mapping configuration.

        22. Click Done after reviewing your Summary.
        23. On the Assertion Creation page, click Next.

        24. On the Protocol Settings page, click Next.

        25. On the Summary page, click Done to save your configuration.

        Close
        1. On the Credentials page, click Configure Credentials.

        2. Select your Signing Certificate.

          Click Done.

        Close

Initiate SSO

Risk360 and PingFederate support IdP- and Service Provider-initiated single sign-on. PingFederate's documentation provides information for invoking IdP-initiated SSO. To learn more, refer to the PingFederate documentation.

When using IdP-initiated SSO, Risk360 requires the cloud name (e.g., zscalerthree.net) passed through the SAML Relay State if you have a domain defined on multiple ZIA clouds. Zscaler recommends using the SAML Relay State in a single ZIA cloud deployment to avoid any disruption if a second ZIA cloud is added in the future. PingFederate supports this by passing the necessary Relay State value by using the TargetResource query parameter in the /idp/startSSO.ping application endpoint.

For example (the green text shows where to insert the ZIA Cloud Name associated with Risk360):

https://{PingFederate hostname}/idp/startSSO.ping?PartnerSpId={Risk360 Connection ID}&TargetResource=zscalerthree.net
Related Articles
Configuring SAML for Admins in Risk360SAML Configuration Guide for OktaSAML Configuration Guide for Microsoft Entra IDSAML Configuration Guide for PingFederate