To register StreamSets as
a service provider in PingFederate, use the IdP information that you retrieved from Control Hub to
create an SP connection in PingFederate.
When you create the SP connection, you specify the PingFederate IdP adapter and
credential validator that retrieve and authenticate users against a data store such
as LDAP. Any user added to the IdP adapter data store can log into StreamSets, as long as the user is invited to the Control Hub
organization using the data store email address.
Important: These instructions assume that your PingFederate installation
has an existing IdP adapter, credential validator, and signing certificate to
associate with new SP connections. If needed, create these objects in
PingFederate before creating the SP connection for
StreamSets. For more information, see the
PingFederate documentation.
These steps provide brief instructions to create an SP connection in
PingFederate. For detailed steps, see the PingFederate documentation.
-
In the PingFederate administrative console, click .
-
Click Create Connection.
-
In the Connection Template tab, select Do not
use a template for this connection, and then click
Next.
-
In the Connection Type tab, select Browser SSO
Profiles and select SAML 2.0 for the
protocol.
-
Click Next.
-
In the Connection Options tab, select Browser
SSO and then click Next.
-
In the Import Metadata tab, select
File and then choose the metadata XML file that you
downloaded from Control Hub.
-
Click Next.
-
In the Metadata Summary tab, verify that the entity ID
matches the StreamSets Entity URI displayed in the IdP SAML Configuration
section in your Control Hub organization SAML settings, and then click Next.
-
In the General Info tab, enter general information for the
SP connection.
For example, you might enter StreamSets for the
connection name and StreamSets DataOps Platform for
the application name.
-
Click Next.
-
In the Browser SSO tab, click Configure Browser
SSO.
-
In the SAML Profiles tab in the Browser
SSO page, select IdP-initiated SSO and
SP-initiated SSO to enable both IdP and SP-initiated
logins.
If you plan to disable SP-initiated logins in your
Control Hub organization settings, clear
SP-initiated SSO. For
more information, see
IdP and SP-initiated Logins.

-
Click Next.
-
In the Assertion Lifetime tab, specify the assertion time
frame and then click Next.
-
In the Assertion Creation tab, click Configure
Assertion Creation.
-
In the Identity Mapping tab in the
Assertion Creation page, select
Standard and then click
Next.
-
In the Attribute Contract tab, select
nameid-format:emailAddress for the
SAML_SUBJECT attribute.
Optionally, extend the attribute contract by adding user name
attributes so that PingFederate passes user information to StreamSets. The user name attributes you add depend on how you configured
the IdP adapter in PingFederate. For more information, see IdP Attribute Mappings.
For example, the following image displays mappings for the required
email address and the optional user names:

-
Click Next.
-
In the Authentication Source Mapping tab, click
Map New Adapter Instance.
-
Select your existing IdP adapter instance and verify that it includes
the optional user name attributes that you configured in the attribute
contract for the SP connection.
For example, if you configured all of the optional user name
attributes as described above, then your selected IdP adapter
instance should display the following attributes:

-
Click Next.
-
In the Mapping Method tab, select Use
only the Adapter Contract Values in the SAML Assertion,
and then click Next.
-
In the Attribute Contract Fulfillment tab, map the
attributes configured for the SP connection to the values defined in the
selected IdP adapter.
The SAML_SUBJECT attribute must map to the IdP adapter attribute that
contains the user email address. For example, in the following
image, the username IdP attribute contains
the email address:

-
Click Next.
-
In the Issuance Criteria tab, click
Next.
-
In the Summary tab, verify your configurations and
then click Done.
-
In the Authentication Source Mapping tab, click
Next.
-
In the Summary tab, verify your configurations and
then click Done.
-
In the Assertion Creation tab, click
Next.
-
In the Protocol Settings tab, click Configure
Protocol Settings to configure the SP connection to encrypt the
SAML assertion.
-
In the Assertion Consumer Service URL tab, verify
that the endpoint URL matches the Single Sign On URL displayed in the
IdP SAML Configuration section in your Control Hub organization SAML settings, and then click
Next.
-
In the Allowable SAML Bindings tab, select only
POST and
REDIRECT.
-
Click Next.
-
In the Signature Policy tab, select
Always Sign Assertion and Sign
Response as Required.
-
Click Next.
-
In the Encryption Policy tab, select
The Entire Assertion, and then click
Next.
-
In the Summary tab, verify your configurations and
then click Done.
-
In the Protocol Settings tab, click
Next.
-
In the Browser SSO Summary tab, verify your configurations
and then click Done.
-
In the Browser SSO tab, click
Next.
-
In the Credentials tab, verify that the encryption
certificate matches the certificate displayed in the List of SAML
Certificates section in your Control Hub organization SAML settings.
Note: The encryption certificate is automatically imported with the StreamSets metadata XML file. However, if you incorrectly follow the previous steps
and do not enable assertion encryption, then PingFederate removes the
encryption certificate.
-
Click Configure Credentials.
Select the signing certificate that you use for PingFederate SP connections,
and then click Next and then
Done to return to the
Credentials tab.
-
Click Next.
-
In the Activation & Summary tab, verify your
configurations and then click Save.
-
In the SP Connections page, locate the SP connection that
you just created, and then click to download the PingFederate Metadata XML.