Setting up IBM Cloud App ID with Ping One

By: Gelareh Taban

Setting up IBM Cloud App ID with Ping One

Last week we launched our latest IBM Cloud App ID feature, SAML 2.0 Federation. This feature allows you to easily manage user identities in your B2E apps while authenticating the users using existing enterprise flows and certified user repositories. In this blog we will use Ping One (the IDaaS solution of Ping Identity) as an example identity provider and show how a developer can configure both App ID and Ping so that:

  • Ping authenticates app users

  • App ID federates and manages user identities

App ID allows developers to easily add authentication, authorization and user profile services to apps and APIs running on IBM Cloud. With App ID SDKs and APIs, you can get a sign-in flow working in minutes, enable social log-in through Google and Facebook, and add email/password sign-in. The App ID User Profilesfeature can be used to store information about your users, such as their app preferences. In short, App ID enables your app to be used only by authorized users and that authorized users have access to only what they should have access to. The app experience is custompersonalized and most importantly, secure.

 SAML 2.0 Federation Architecture

Before we begin, we should first review the architecture and flow of a federation based enterprise login and SSO using the SAML 2.0 framework. Here, AD FS is the identity provider that provides enterprise identity and access management (IAM).

Federation-based enterprise login and SSO using SAML 2.0

Federation-based enterprise login and SSO using SAML 2.0

  1. Application user opens an application deployed on cloud or invokes a protected cloud API.

  2. App ID automatically redirects the user to the Enterprise IAM identity provider.

  3. The user is challenged to sign-in using enterprise credentials and familiar UI/UX.

  4. On successful login Enterprise IAM identity provider redirects user back supplying SAML assertions.

  5. App ID creates access and identity tokens representing user’s authorization and authentication and returns them to the application.

  6. Application reads the tokens to make business decisions as well as invoke downstream protected resources.

Configuration Steps

Before we begin:

You must have:

  • An IBM Cloud account and logged on through a browser

  • Created an App ID instance

  • Have a Ping Identity account with a Ping One account

Step 1

Sign in to your IBM Cloud, browse to the catalog and create an App ID instance. Under the Identity Providersmenu, select SAML 2.0 Federation

Step 1

 

Step 2

Click on the Download SAML Metadata file. This will download a file appid-metadata.xml.

Step 2

 

Let’s review some of parameters defined in the metadata file. We need these parameters to configure the identity provider.

  • <EntityDescriptor> identifies the application for which the SAML identity provider is being setup. EntityID is the unique identifier of the application.

  • <SPSSODescriptor> describes the service provider (SP) requirements. App ID requires the protocol to be SAML 2.0. The service provider must sign its assertions.

  • <NameIDFormat> defines how App ID and the identity provider uniquely identity subjects. App ID uses emailAddress and therefore the identity provider needs to associate username with emailAddress.

  • <AssertionConsumerService> describes the protocol and endpoint where the application expects to receive the authentication token.

You can find more detailed documentation on both mandatory and optional attributes that App ID supports here.

 Step 3

Open the Ping One Management console and add a New SAML Application.

Step 3

 

  • Enter the name and description of your application as requested by Ping and then click on Continue to Next Step.

  • Under Application Configuration, select Upload Metadata option and upload appid-metadata.xml, the App ID metadata file you downloaded in Step 2. Once this file is uploaded, Ping will automatically provision the fields for Assertion Consumer Service (ACS) and Entity ID

Assertion Consumer Service (ACS) and Entity ID

 

  • Make sure the protocol version selected is SAML v 2.0.

  • Download the SAML Metadata file Ping provides, saml2-metadata-idp.xml. You will use this file to finish setting up App ID later.

  • The rest of the application configuration fields are currently not required so you can click on Continue to Next Step.

  • In the SSO Mapping Attribute section you can map attributes between App ID and Ping. We will cover this in more detail in Step 4.

  • Finally click on Save and Publish.

  • You have now finished setting up App ID as a SAML application in Ping.

Step 4

App ID also supports name , email , picture and locale  custom attributes in the SAML assertions it receives from the identity provider. App ID can only consume these attributes if they are in the following format:

<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="name"><AttributeValue>Ada Lovelace</AttributeValue></Attribute>

NameFormat is the way that App ID interprets the Name field. The format specified  urn:oasis:names:tc:SAML:2.0:attrname-format:basic is also the default format if no format is provided.

To add these additional rules, select SSO Attribute Mapping > Add new attribute.

SSO Attribute Mapping > Add new attribute.

 

  • Set Application Attribute to email

  • Set Identity Bridge Attribute or Literal Value to Email

  • Select Advanced and set Name Format to urn:oasis:names:tc:SAML:2.0:attrname-format:basic

  • Save your attribute.

Save your attribute

You can add similar rules for namepicture, and locale attributes.

Step 5

Finish configuring App ID by using the information in saml2-metadata-idp.xml. 

  • Set entityID to the attribute value of EntityDescriptor entityID from the metadata file.

  • Set Sign-in URL to the URL value for the SingleSignOnService Location attribute in the metadata file.

  • Primary Certificate should be set to the base64 encoded signing certificate string X509Certificate located under KeyDescriptor use="signing". Ensure there is no white space at the beginning of each line.

Save the configuration data.

configuration data.

 

Step 6

You can now test your configuration by clicking on the Test button. This will initiate an authentication request to Ping. Make sure you have saved your configuration before testing, otherwise Test will not work. 

Sign on

Once you have entered the credential information and successfully authenticated with Ping, you should be presented with an App ID access token as well as an identity token.

Congratulations!!

Congratulations!!

You have successfully configured your App ID instance using Ping One identity as a service!

Make sure you check out some of our upcoming blog articles in our App ID SAML series:

  • Setting up IBM Cloud App ID with Azure Active Directory

  • Setting up IBM Cloud App ID with Active Directory Federation Service

Try it out!

We’d love to hear from you with feedback and questions. Get help for technical questions at Stack Overflow, with the ibm-appid tag. For non technical questions, use IBM developerWorks, with the appid tag. For defect or support needs, use the support section in the IBM Cloud menu.

To get started with App ID, check it out in the IBM Cloud Catalog

Be the first to hear about news, product updates, and innovation from IBM Cloud