This article will detail how you can use PingOne SAML with your FTP Today account.
You will need two browser windows/tabs for these steps.
Create the Identity Service at FTP Today
Log into your FTP Today Site. Navigate to Settings…Authentication…Identity Service. Click on Add Service.
Enter a name for the New Service and select “Ping Identity SAML” as the provider and Save.
Create the Application at Ping
Locate the Redirect URL and Logo Download.
Log into Ping, select Connectionss and Add application
Select Web App and Configure for SAML.
Enter a name and description for the application. Download the logo from your FTP Today Site and upload to Ping. Then select Next.
Copy the ACS URL and Entity ID to Ping. Select Sign Assertion & Response, enter 60 for Assertion Validity Duration and select Save and Continue.
Select Username for the PingOne User Attribute to be provided as the saml_subject, then Save and Close
Enable the application for user access.
Configure the Identity Service at FTP Today
In the PingOne portal, select Configuration for the App you created. Locate the IdP Metadata URL.
On your FTP Today Site, select “I want to use a Metadata URL to set this configuration.”, copy the IdP Metadata URL from PingOne and Save.
Assign the user to the application at Ping Identity
Add the user at FTP Today
In your FTP Today site, navigate to the Users area and select Add User.
Enter the username as set up in the Ping Identity service and select the identity service you created. Complete the rest of the fields as needed and Save.
Ping Identity supports an advanced security feature that offers further user verification. You may register the user with a unique identifier from Ping Identity. In addition to matching the User Name to identify the user, we will match the Ping Identity User ID for that user. Ping Identity must be configured to provide the User ID Value.
Select Attribute Mappings, then Edit.
Select Add Attribute and PingOne Attribute.
Select User ID as the PingOne User Attribute, enter “userid” as the Application Attribute, check Required and Save.
Navigate to the user at Ping Identity, select API and locate the User ID.
Paste the Ping Identity User ID into the IdP User Unique Identifier and Save.
If the user already exists in your FTP Today site, you may change these settings on the Authentication tab for the user.
User access through FTP Today
Navigate to the site and enter the username and click Next.
There will be a brief “Authenticating” message.
If the user does not have an open session with Okta, they will have to authenticate.
The user will now be logged into your FTP Today Site.
User access at Ping Identity
Ping Identity does not provide this feature.
Ending the session
When done, the user may log out of the FTP Today site or allow the session to expire. This will not log the user out of Ping Identity or any other services authenticated through Ping Identity.
Ping Identity does not support Global Logout for authenticated applications. Logging out of Ping Identity directly will not log the user out of the FTP Today; The normal session timeout will apply.
The session timeout on the FTP Today Site may log the user out of the site even if they are still logged in at Ping Identity. In that case, after entering their username they will be immediately authenticated to the site.
Encrypting the SAML response
This is an advanced setting required for FIPS compliance. At your FTP Today Site, navigate to the Identity Service, toggle the “Encrypt Assertion” to on and Save.
You will now see an Encryption Certificate link near the page bottom. Download and save the Certificate.
At your Ping Identity site, navigate to the FTP Today application you created. Select Configuration and select Edit.
Expand SAML SETTINGS. Under ENCYPTION, check Enable Encryption, select AES_256 for ALGORITHM. Download the certificate from your FTP Today site and upload to Ping Identity. Then Save.