Single Sign-On — PingFederate

Updated

The SearchStax Site Search solution offers PingFederate Single Sign-On (SSO). SSO lets your users log in with a single ID and password that works across multiple software systems.

Note: This is an optional feature that you can add to your SearchStax account. Contact SearchStax for details.

We use the open standard Security Assertion Markup Language (SAML). This allows identity providers (IdP) to pass authorization credentials to service providers (SP). This page provides instructions to use PingFederate to implement SSO for SearchStax.

SSO is an add-on Site Search feature available with the Advanced and Premium plans.

Instructions

Once SearchStax enables SSO for your account and sets up a domain, the SSO setup options appear in the My Profile screen of the My Account menu.

Account settings menu showing Two-Factor Authentication enabled and Single Sign-On configuration options with setup button.

Click the Set Up Single Sign-On button to see a screen with configuration URLs and feature options. You'll need to refer to this screen while setting up the SSO profile with your Identity Provider.

SAML configuration form with fields for Assertion Consumer Service URL, Metadata URL, IdP entity URL, Sign-In URL, and Sign-Out URL, along with toggles ...

This screen contains the following fields and options:

  • Assertion Consumer Service (ACS) URL: Note that the URL includes your SSO domain (called mydomain in the following discussion).
  • Metadata URL: SearchStax metadata endpoint.
  • Enable Checkbox: If checked, SSO is enabled for this account.
  • Assertion Responses Signed: Use the droplist to indicate whether assertions and/or responses should be signed.
  • Allow Email Password Login Checkbox: If checked, allows login by email and password in addition to SSO.
  • Auto Create Users Checkbox: If checked, creates a new user account the first time a user logs in.
  • IDP Entry URL: Identity provider URL.
  • Metadata URL: The SAML 2 Metadata URL.
  • Sign-In URL: The URL used for signing into the SAML Identity Provider.
  • Sign-Out URL (Optional): The URL shown after a successful sign-out.

PingFederate Setup

Note: Make sure you've already set up an Adapter inside PingFederate.

  1. Go to the PingFederate IdP administration console and select the Create New button underneath the SP Connections section:
    The SP Connections panel showing two SAML 2.0 connections with a Create New button highlighted in red.
  2. In the Connection Type tab, select the Browser SSO Profiles/SAML 2.0 Template then click Next. In the Connection Options, select Browser SSO and click Next:
    SP Connection configuration panel showing connection type selection with Browser SSO Profiles option and SAML 2.0 protocol.SP Connection configuration panel with Connection Type and Connection Options tabs, showing Browser SSO selected and IDP Discovery and Attribute Query o...
  3. The next tab is Import Metadata. You can extract our metadata from the URL shown in the dashboard screenshot above and import it here. This prefills some future sections for you:SP Connection setup page with tabs for Connection Type, Connection Options, and Import Metadata, showing file selection for partner metadata.
  4. In the General Info tab, verify that the following boxes have the correct information. Complete this step whether you imported our metadata or not.

    The Entity ID box should contain our EntityID, which is also our metadata URL.

    Connection Name is whatever you want to use to identify this connection in your PingFed dashboard.

    Virtual Server IDS is important. It overwrites your "master" EntityID and displays a value in your metadata that we require to connect properly. Use a URL format like https://sso-t.com/idp/SSO.saml2.

    Scroll to the bottom and click Next:
    SP Connection configuration form showing partner entity ID, connection name, virtual server IDs, base URL, and company fields.
  5. The next tab is where you'll configure the Browser SSO settings. After you click Configure Browser SSO, select SP-Initiated SSO and click Next.
    SAML Profiles tab showing IDP-Initiated SSO and SP-Initiated SSO checkbox options for configuring Single Sign-On profiles.
    We left the Assertion Lifetime settings as default and then clicked Next.
    The Assertion Lifetime tab showing SAML assertion validity window with minutes before and after expiration settings.
  6. Next, configure the Assertion Creation by clicking the Configure Assertion Creation button. Keep standard identity mapping and click Next. In the Attribute Contract tab, pass surname, email, and givenName in the assertion. Use the Extend the Contract section and then click Next.
    Attribute Contract configuration tab showing SAML subject name format and attribute name format settings for SP Connection Browser SSO.
  7. Now that you've created the attributes, map them. Use the Map New Adapter Instance button on the Authentication Source Mapping tab.

    Select the Adapter you've configured for this connection and then click Next until you reach the Attribute Contract Fulfillment tab.

    Map your values to the email, surname, and givenName attributes being passed from your end. When finished, click Next and then the Done button until you see the Configure Protocol Settings button.
    Attribute Contract Fulfillment tab showing SAML_SUBJECT mapped from Adapter with username value and email mapped from Text with test value.
  8. When configuring the protocol, send your POST requests to the ACS URL provided in the SearchStax dashboard.
    Assertion Consumer Service URL configuration tab showing default, index, binding, and endpoint URL fields for SAML assertion consumer URL setup.
    It'll look something like *.searchstax.com/saml2/acs/. Click Next until you arrive at the Signature Policy Tab.

    Select the Sign the SAML Assertion checkbox. Click Next until you get to the Configure Credentials button.
    SP Connection Browser SSO Signature Policy tab with SAML assertion signing options and a checkbox to sign SAML assertions.
  9. Select the valid certificate used in your signings:
    Digital Signature Settings tab showing certificate selection dropdown and option to include certificate in SAML signature keyinfo element.

    Click Next and review all the tabs presented. If everything looks good, activate the connection and click Save.
  10. When you've finished setting things up in PingFed, come back to the dashboard and enter your SSO values:
    SAML authentication configuration form with IdP entity URL, metadata URL, login URL, and logout URL fields for PingFederate setup.

    We need your IdP Entity URL. As discussed above, this will be the VSID that you configured for this connection. We also need the URL to your metadata and the Login URL used for this connection. Once you've entered these values, select the Enabled checkbox and click Save Settings.

Login Using SSO

The Site Search sign-in screen provides a button at the bottom for SSO called "Sign-In With your ID Provider." Click this button.

SearchStax Site Search sign-in form with email and password fields, plus option to sign in using an ID provider.

Enter the domain that was set up for the client.

SearchStax Site Search sign-in form with subdomain field highlighted in red and Continue button.

Click Continue. This takes you to the PingFederate Sign-in page. After you authenticate, it brings you back to your Site Search Dashboard.

Alternatively, you can go directly to https://.searchstax.com to log in. Clicking "Sign-In With your ID Provider" takes you directly to PingFederate.

SSO + Two-Factor Authentication

A user can have both SSO and Two-Factor authentication set up. The 2FA settings for a user apply to all accounts that the user has access to.

However, for accounts with SSO setup, SearchStax 2FA settings won't apply. Instead, set up 2FA at the SSO Provider.

Articles in this section