Configuring PingFederate with Google Apps

This article was written and submitted by an external contributor. The Google Apps team thanks Derya Kurt for his time and expertise.

Derya Kurt, Ping Identity
May 2008

Contents

1. PingFederate Overview
2. Configuring Google Apps
   1. Integration Prerequisites
   2. Configuring PingFederate Server as the Identity Provider (IDP)
3. Author Bio

PingFederate Overview

PingFederate^® is a federated identity server for enabling secure single sign-on to internet applications. It is a self-contained server that works in conjunction with existing enterprise identity management systems such as CA SiteMinder, Oracle Access Manager, as well as offering out of the box solutions for integrating with Java, .NET, and PHP applications.

In addition to the core SAML and WS-Federation browser SSO functionality offered by PingFederate, Ping Identity also offers an optional add-on module: PingFederate Web Services, which extends standards-based identity management to SOAP and REST-based distributed systems.

PingFederate is available for download. Once you have the software, request your free evaluation license key here.

PingFederate Configuration with Google Apps

Integration Prerequisites

Before attempting this integration, you should

• have a working and properly configured PingFederate 5.x server
• be familiar with the PingFederate server architecture and administration configuration procedures

Configuring PingFederate Server as the Identity Provider (IDP)

The following configuration steps need to be performed as the PingFederate Administrator.

1. Go to

   https://<Your_PingFederate_Host>:<port>/pingfederate/app
   

   and sign in as the Administrator:
   
2. A single instance of the PingFederate server can act as both Identity Provider and Service Provider. Since you are going to be the Identity Provider for integrating with Google Apps, you need to configure the Roles & Protocols under Server Settings and enable the Identity Provider role with the SAML 2.0 protocol:
   
3. As an Identity Provider, you will need to create a new connection to a Service Provider. In order to integrate with Google Apps, you will need to create a new SP (Service Provider) connection. When creating the new connection, you will need to supply Google Apps' EntityID and base URL:
   
4. There are two types of SSO profiles that can be used. The IdP (Identity Provider)-initiated SSO and SP (Service Provider)-initiated SSO. In this configuration, we will be using the IdP-initiated SSO. In order to do that, you need to choose IdP-initiated SSO under SAML Profiles:
   
5. Acting as the Identity Provider, you will need to define an Assertion Consumer Service URL (ACS URL). You do this under Web SSO, where you can also specify the binding type (POST or ARTIFACT):
   
6. As the Identity Provider, you will need to create a signing certificate and share it with the Service Provider you are integrating with. You can create a new signing certificate via the Credentials screen. Once you've created this certificate, you'll need to export and share it with Google Apps.
   
7. Finally, import the signing certificate you've created with PingFederate into Google Apps via the Google Apps control panel, and make sure that the "Use a domain specific issuer" checkbox is selected:
   
   

Author Bio

Derya Kurt is originally from Istanbul, Turkey and currently resides with his wife in the Boston area. Derya completed his undergraduate studies at the University of Massachusetts - Dartmouth while majoring in Computer Science and with a minor in Software Engineering.

After several terms as an intern with Macromedia in Cambridge (now part of Adobe), Derya was hired to join Macromedia's Professional Services & Product Support Team. After the acquisition of Macromedia by Adobe, Derya became a Support Engineer at Softscape wherein he was responsible for their backline support.

Today, Derya is a part of the Global Client Services Team at Ping Identity and is responsible for supporting Internet Secure Single Sign-On and Federation Projects utilizing PingFederate.

This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.