You can configure single sign-on (SSO) between PingFederate and VMware Tanzu Application Service for VMs (TAS for VMs).
You can create an SSO partnership between PingFederate and TAS for VMs using the following steps:
-
Configuring PingFederate as an identity provider (IDP). For more information, see Configure PingFederate as the SAML Identity Provider for TAS for VMs.
-
Configuring the service provider (SP). For more information, see Configure TAS for VMs as the SAML Service Provider for PingFederate.
Configure PingFederate as the SAML identity provider for TAS for VMs
To configure PingFederate as the SAML IDP for your TAS for VMs tile:
-
Download your IDP metadata from PingFederate Server:
- Log in to PingFederate Administrative Console.
- Select Administrative Functions.
- Click Metadata Export.
- If your PingFederate server is configured to act as both an IDP and an SP, indicate which type of configuration you want to export. The Signing key can be exported. You can skip the options related to encryption keys and metadata attribute contract because they are not supported at this time.
- Click Next.
-
Follow the procedure in Configure TAS for VMs as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for TAS for VMs to set the IDP metadata on TAS for VMs.
Configure TAS for VMs as the SAML service provider for PingFederate
To configure TAS for VMs as the SAML SP for PingFederate:
-
Download the SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.
-
Save the SP metadata to an XML file.
-
Import the SP metadata to PingFederate:
- Log in to PingFederate Administrative Console.
- Under Main Menu, select IdP Configuration.
- Select SP Connection.
- Click Import.
- In the Import Connection pane, browse and select the
.xml
file downloaded in the previous step.
- Click Import.
- Click Done.
-
TAS for VMs expects the NameID format to be an email address, such as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
, and the value to be the email address of the currently logged-in user. The SSO does not function without this setting.
- Under Main Menu, click the connection name. To see a full list of connections, click Manage All SP.
- Under the SP Connection, select Browser SSO.
- Click Configure Browser SSO.
- Under Browser SSO, select Assertion Creation.
- Select Configure Assertion Creation.
- On the Summary pane, select Identity Mapping.
- Select Standard.
- For the NameID format, select Email Address and enter the email address of the user.
-
Select the Authentication Source:
- Under the SP Connection, select Browser SSO.
- Select Configure Browser SSO.
- In Browser SSO, select Assertion Creation.
- Select Configure Assertion Creation.
- On the Summary pane, select IdP Adapter Mapping.
- Select Adapter Instance Name.
- On the Summary pane, select Adapter Instance.
-
Activate the SSO Browser Profiles:
- Under SP Connection, select Browser SSO.
- Select Configure Browser SSO.
- On the Summary pane, select SAML Profiles.
- Ensure that the IdP-Initiated SSO and SP-Initiated SSO check boxes are activated.
Important TAS for VMs does not support SLO profiles at this time. You can leave them deactivated.
-
Activate the SP Connection.