Search code examples
single-sign-onoktapingfederatehyperion

Using Pingfederate as an SP and Okta as IDP

So I'm tasked with enabling SSO for a client's Oracle Hyperion Application. The Approach I'm going with is Custom header Variable based SSO.

PingFederate Currently exists as the SSO Authentication Server for many applications and the plan is to use it to act as an SP for the target application while it (Pingfed SP) is retrieving attributes/Authenticating users from the Okta IDP.

I am relatively new to the process as you might have probably guessed and am looking for clarification on how I can configure :

  1. SP initiated SSO from Pingfed, and retrieve the user attributes from the Okta Idp connection.

  2. How I can map the attributes from the SAML assertion sent from Okta to Pingfed SP into an opentoken to my target application.

Thanks in advance

Solution

  • For your first question - How to configure SP initiated SSO from Pingfed, and retrieve the user attributes from the Okta Idp connection. If you are using OpenToken which is a custom adapter, you can download from PingFederate download side, refer here. This custom adapter is the Opentoken adapter that transfers user attributes between the application and the PingFederate server. On the SP side, the OpenToken Adapter can be used to transfer user-identity information to the target SP application. On the IDP side the OpenToken adapter allows the PingFederate server to receive the user's identity from the IDP application.

    Here is a note from PingFederate about OpenToken Adapter. Note: To integrate applications for use with the OpenToken Adapter, download an integration kit for PingFederate from the Ping Identity Downloads website and follow instructions for installing and using Agent Toolkits in the accompanying documentation. Follow the configuration instructions in this topic to set up the OpenToken Adapter to use with your applications.

    For your second question - How I can map the attributes from the SAML assertion sent from Okta to Pingfed SP into an opentoken to my target application. For SAML connections, the IdP application can provide an authentication context to the service provider (SP) by including the authnContext attribute with the desired value in the secure token. The OpenToken doc will provide you more info on authnContext.
    Here is a definition of Authncontext - Authentication context is defined as the information, additional to the authentication assertion itself, that the relying party may require before it makes an entitlements decision with respect to an authentication assertion. Such context may include, but is not limited to, the actual authentication method used. Here is configuring Authn Context in PingFederate.