Authenticate to Simplelists using Ping Identity
Introduction
Implementing SAML Authentication for simplelists.com is described below.
Ping Identity Configuration
Login to your Ping Identity Environment
- Login to your Ping Identity Console and select your environment
Create SAML2 Application
- Click Connections
- Click Applications
- Click the next to Applications
###
img src="saml/ping/03-saml-ping-select-applications.png" alt="Shows the Applications menu selected" title="03-saml-ping-select-applications" class="blog-border"
- Enter an Application Name
- Optionally enter a Description
- Click SAML Application
- Click Configure
###
img src="saml/ping/04-saml-ping-add-application.png" alt="Shows the Add Application page" title="04-saml-ping-add-application" class="blog-border"
SAML Configuration (from Metadata)
- Select Import Metadata
- Click Select a file
- Locate the saml.xml that you downloaded from the Simplelists Authentication Provider above and click to select the file
###
img src="saml/ping/06-saml-ping-add-application-save-metadata.png" alt="Show Save Metadata Page" title="06-saml-ping-add-application-save-metadata" class="blog-border"
- After the Metadata has been loaded Click Save
###
img src="saml/ping/05-saml-ping-add-application-metadata.png" alt="Show Metadata Import Page" title="05-saml-ping-add-application-metadata" class="blog-border"
Download Metadata and Signing Certificate
- Click Configuration
###
img src="saml/ping/08-saml-ping-download-metadata.png" alt="Shows the Download Metadata page" title="08-saml-ping-download-metadata" class="blog-border"
- Click Download Metadata (save for upload to Simplelists)
###
img src="saml/ping/08-saml-ping-download-certificate.png" alt="Shows the Download certificate page" title="08-saml-ping-download-certificate" class="blog-border"
- Click Download Signing Certificate
- Select X509 PEM (.crt) (save for upload to Simplelists)
- Click Save
###
img src="saml/ping/07-saml-ping-saml-configuration.png" alt="Shows SAML configuration page" title="07-saml-ping-saml-configuration" class="blog-border"
Attribute Mappings
- Click Attribute Mappings
- Click the blue and white edit icon
###
img src="saml/ping/09-saml-ping-attributes-configuration.png" alt="Shows the Attribute Configuration page" title="09-saml-ping-attributes-configuration" class="blog-border"
Edit Attribute Mappings
- Click Add
- Add the following mappings
Attributes PingOne Mappings saml_subject Email Address http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Given Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Family Name - Click Save
###
img src="saml/ping/11-saml-ping-attributes-configuration-02.png" alt="Shows the Attributes completion" title="10-saml-ping-attributes-configuration-02" class="blog-border"
Enable SAML Application
- Toggle the Enable/Disable “toggle”
###
img src="saml/ping/12-saml-ping-enable-application.png" alt="Shows Enable the Application toggle" title="12-saml-ping-enable-application" class="blog-border"
Testing Login
At this point you should have successfully configured basic SAML2 authentication.
- Open the Simplelists web page (https://www.simplelists.com)
###
img src="saml/ping/14-saml-simplelists-main-page.png" alt="Shows the Simplelists Main page" title="14-saml-simplelists-main-page" class="blog-border"
- Click Login
- Enter your email address on the simplelists web page
###
img src="saml/ping/15-saml-simplelists-login.png" alt="Shows the login page for Simplelists" title="15-saml-simplelists-login" class="blog-border"
- Enter your Ping enabled email address and click submit.
If everything is correctly configured you will be presented with the Ping login page.
- Enter the email address that you have enabled for Ping in simplelists
- Enter your password
- Click Sign On
You should be logged into the simplelists web page as your user.
Optional Settings
The following settings provide extra features that are not necessary if you are simply authenticating from the Simplelist’s web page.
Automatic User Creation
Simplelists supports the auto user creation both via the Simplelists website and via an IdP Initiated login (if configured). For auto user creation from the Simplelists web page you need to ensure that your domain name is configured in the Authentication Provider.
For information on Configuring Automatic User Creation in Simplelists see the help page.
Note: Groups must be configured and properly provided by Ping as in Group Support (below) in order for the user to be automatically created.
Group Support
Simplelist’s can use groups provided by the Ping provider to create users and manage the permissions. The following section assumes that you have existing groups in Ping for use with Simplelists. If not, create groups for the type of permissions that you would like to have. For instance groups may be:
- SimpleLists-Administrator
- SimpleLists-ListManager
- SimpleLists-Billing Manager
Create Groups in Ping
- Click Identities
- Click Groups
- Click the next to Groups
- Enter the Group Name and click Save
###
img src="saml/ping/18-saml-ping-specify-group-name.png" alt="Shows page to define the group name" title="18-saml-ping-specify-group-name" class="blog-border"
Add users to the group
- Click Users
###
img src="saml/ping/20-saml-ping-add-users-individually.png" alt="Shows adding users to the group Individually" title="20-saml-ping-add-users-individually" class="blog-border"
- Click Add Individually
- Search for a User
###
img src="saml/ping/21-saml-oing-select-user.png" alt="Shows selecting the user and searching" title="21-saml-oing-select-user" class="blog-border"
- Select the User
- Click Save
###
img src="saml/ping/19-saml-ping-add-users-to-group.png" alt="Shows page to add users to the group" title="19-saml-ping-add-users-to-group" class="blog-border"
Ping Application Group Configuration
Add a Group Memberships to the Application
- Access the SAML application you previously configured
###
img src="saml/ping/23-saml-ping-application-access.png" alt="Shows the Application Configuration - Select Attribute Mappings" title="23-saml-ping-application-access" class="blog-border"
- Edit the Attribute Mappings
- Click the edit icon
Edit Attribute Mappings
- Click Add
- Add the following mapping to the existing
Attributes | PingOne Mappings |
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups | Group Names |
IdP Initiated Login
Simplelists has support for IdP initiated login. That is, login that is initiated by selecting the Simplelists application on the user’s Ping Application Portal. Selecting the application on the portal page redirects to the Simplelist web page where the user is automatically logged into the application.
- Open the Ping SAML application that you created
- Click Connections
- Click Applications
- Click on the Simplelists application
- Edit the Configuration
- Click Configuration
- Click the blue and white edit icon
###
img src="saml/ping/25-saml-ping-target-url.png" alt="Shows the SAML Authentication for Relay State" title="25-saml-ping-target-url" class="blog-border"
- Enter the RelayState value from the Simplelists Authentication provider in the Target Application URL field (example: v0aWiPupDsvdBitylxpcGxtfE0FKYc2z)
- Click Save
Require Signed AuthnRequests
Note: Requiring Signed AuthnRequests may break the ability to initiate login to Simplelists from the Ping Application Portal if you have configured that functionality.
- Open the Ping SAML application that you created
- Click Connections
- Click Applications
- Click on the Simplelists application
- Edit the Configuration
- Click Configuration
- Click the blue and white edit icon
###
img src="saml/ping/26-saml-ping-enforce-signed-authnrequests.png" alt="Shows Configuration to Enforce Signed AuthnRequests" title="26-saml-ping-enforce-signed-authnrequests" class="blog-border"
- Select Enforce Signed AuthnRequest
- Click Save
Enable Encrypted Assertions
Encrypted assertions are supported by Simplelists and allow you to increase the security of your authentication.
Edit the SAML Application
- Click Configuration
###
img src="saml/ping/27-saml-ping-edit-application.png" alt="Show Edit Application page" title="27-saml-ping-edit-application" class="blog-border"
- Click the blue and white edit icon
Set Required Encryption Settings
- Click Sign Assertion & Response
- Click Enable Encryption
###
img src="saml/ping/28-saml-ping-configure-encryption-settings.png" alt="Show Encryption Settings" title="28-saml-ping-configure-encryption-settings" class="blog-border"
- Choose AES_256 from the Algorithm drop down
- Select Import
- Click Choose File
- Select the Simplelists Signing Certificate simplelists.cer that you downloaded above
- Click Save
Test login with encrypted assertions
Simply login to the Simplelists website and verify that you are able to log in. You can verify that the Assertion is encrypted by viewing it using a SAML Message decoder plugin for your browser; see the Troubleshooting section.