How to enroll NetBackup Primary server as a service provider to PingFederate (Release 11.0 and later)
Description
To enroll NetBackup Primary server as a service provider to PingFederate.
Step 1 - Create an SP Connection Profile.
1. Log on to the Ping Federate Admin Console and Click on SYSTEM link and select the Protocol Metadata menu option.
2. After providing required information for "Metadata Settings" as per your organization settings, click on "Metadata Export" link.
- Select the "I AM THE IDENTITY PROVIDER (IDP)" option under the Metadata Role. Click on Next button.
- Select the "SELECT INFORMATION TO INCLUDE IN METADATA MANUALLY" option in "Metadata Mode" tab. After selection, click on Next button.
- Under the Protocol tab select the SAML2.0 from the drop-down list. Click Next and do not perform any operation in "Attribute Contract" tab. Click Next.
- Select the configured certificate from drop-down in "Signing-Key" tab.
- Select the certificate for Signing from drop-down and choose "RSA SHA256" algorithm from "SIGNING ALGORITHM" drop-down. Click on Next button.
- Select the certificate in ENCRYPTION CERTIFICATE drop-down under "XML Encryption Certificate" tab. Click on Next button.
- Review the summary and click on "Export" button to download the IDP metadata.
This will result in getting the IDP metadata.
3. Use the IDP XML metadata file to add the IDP configuration on the NetBackup primary server using the mentioned steps.
Refer - Configure NetBackup for Single Sign-On section in NetBackup Web UI Administrator's Guide for detailed steps to configure IDP Metadata XML in Primary Server.
4. After configuration IDP metadata XML at Primary Server, download the NetBackup primary server metadata from https://<primary server>/netbackup/sso/saml2/metadata URL.
5. Click IdP Configuration > SP Connections > Create New. The SP Connections page opens.
6. Click on "DON NOT USE A TEMPLATE FOR THIS CONNECTION" under Connection Template tab. This option is dependent on PingFederate released version. It might not be available in few releases. Click the Next button.
7. Select the BROWSER SSO PROFILES under Connection Type and SAML 2.0 as PROTOCOL.
8. In the Connection Type tab, select Browser SSO Profiles.
9. Under the Import Metadata tab, select the option as FILE to upload the Netbackup Primary Server Metadata file(sp-metdata.xml) and click on Next button.
10. Evaluate the Metadata Summary with Entity ID and select Next. Review the General Information under General Info tab.
Step 2—Configure Browser SSO Settings
1. Click Configure Browser SSO.
2. Select SP-INITITATED SSO.
3. Click Next. The Assertion Lifetime tab opens.
4. Click Next. The Assertion Creation page opens
5. Click Configure Assertion Creation. The Assertion Creation wizard opens;
6. Click Next. The Attribute Contract page opens.
7. Add the SAML attributes in the SAML assertion. The IdP will send these attributes in the SAML Assertion.
8. These contract attributes should what you have provided at time of IDP Metadata configuration at Primary Server side. If you have not specified custom option with (-u and -g) option in nbidpcmd then provide userPrincipalName and member of attributes as specified in above screenshot.
9. Click Next. The Authentication Source Mapping tab opens.
10. Click Map New Adapter Instance. The adapter configuration screen opens. If you have already configured ADAPTER then you can select it from drop-down list, else configure a new one.
11. If you opt for configuring a new Adapter instance then click on Create New.
12. In Password Credential Validator Instance, opt based on your configured validator instance. We have configured it with the name as "LDAPValidator" hence selected it in dropdown.
13. Under Extended Contract add the field which we have configured IDP configuration at Primary with -u and -g option. Default are userPrincipalName and memberOf.
14. Click on "Adapter Contract Mapping" and select the attribute source. I have configured Active Directory with Ping Federate Instance and selected the same from ACTIVE DATA STORE.
Note: In this configuration, I have used On-Prem AD as a data source, this configuration can be different for different types of data sources. You have to configure the data store as per your environment.
15. Mention your AD search as per your configuration. Below is for sample reference.
16. Click on save and complete the following configuration steps:
17. If you have already configured the attribute source and don't want to import from multiple sources, choose the 3rd option, "USE ONLY THE ADAPTER CONTRACT VALUES IN SAML ASSERTION".
18. Fill out the Attribute Contract Fulfillment, and save the configuration.
19. Click Protocol Settings to configure the Browser SSO Protocol Settings, SSO service URLs, and SAML bindings.
20. Click Configure Protocol Settings and complete the following steps:
21. Verify the Assertion Consumer Service URL. The endpoint URLs for Post bindings are automatically populated from the metadata. If not, enter the URL manually. The URL will be the same for both bindings.
22. Click Next. The Encryption Policy Settings tab opens and also select "ALWAYS SIGN ASSERTION".
23. Click Next. Review the protocol setting.
24. Click Done.
Step 3—Configure Credentials
1. On the SP Connections page in the PingFederate administrative console, click Credentials
2. Click Configure Credentials.
3. Click Digital Signature Settings.
4. Select the certificate to use for digital signature in SAML messages.
Step 4—Review Configuration
To review the configuration, click the Activation & Summary tab.
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.