PingFederate (Ping Identity)

PingFederate is an identity and access management solution that enables secure single sign-on, identity federation, and authentication across multiple applications and platforms, supporting protocols like SAML, OAuth, and OpenID Connect. You can use PingFederate to enable secure single sign-on (SSO) and federated identity management for authentication across Firebolt.

To integrate PingFederate with Firebolt’s platform, you need to configure both an PingFederate application for Firebolt and Firebolt’s SSO for PingFederate. Detailed instructions can be found in the following sections:

Configure PingFederate application

  1. Select Applications in the administration menu. Then on the Applications page, select + to create a new application.
  2. Type in the application name (for instance, Firebolt) and description. Then select SAML Application, and select Configure.
  3. Choose Manually Enter to provide application metadata.
    • Fill the ACS URLs field with a URL in the following format: https://id.app.firebolt.io/login/callback?connection=<organization_name>-<provider>&organization=<organization_identifier> For example: https://id.app.firebolt.io/login/callback?connection=acmeorg-pingfederate&organization=org_82u3nzTNQPA8RyoM

      <org_name> represents the Organizational name used to create your Firebolt Account. The org name is referenced in your vanity URL.
      <provider> represents the provider we’re configuring as our IdP. <organization_identifier> is the unique identifier for your Organization. To retrieve your <organization_identifier>, you can navigate to Configure > SSO in the Firebolt UI, and Click Copy organization SSO identifier.

    • Fill in Entity ID with the value: urn:auth0:app-firebolt-v2:<organization_name>-<provider>, where
    • <organization_name> is the name of the organization in Firebolt, and
    • <provider> is the provider value set in Firebolt configuration step For example: urn:auth0:app-firebolt-v2:acmeorg-pingfederate
  4. Select Save.
  5. From the Configuration tab:
    • Download the signing certificate in X509 PEM format
    • Save the value of Single SignOn Service
  6. Open the Attribute Mappings tab, and edit the saml_subject PingOne Mapping to map to Email Address. Then Save.

Configure Firebolt for PingFederate

Once your Identity Provider(IdP) is configured, you can now configure Firebolt to integrate with your IdP. This can be done either using the Firebolt UI, or using SQL.

UI

  1. To configure the Firebolt SSO integration with PingFederate using the UI, Navigate to Configure > SSO in Firebolt.

  2. Once there, enter your Sign-on URL, Issuer, Provider, Label, Certificate, and field-mappings, where

  • signOnUrl: The sign-on URL, provided by the SAML identity provider, to which Firebolt sends the SAML requests. The URL is IdP-specific and is determined by the identity provider during configuration.
  • signoutUrl(optional): The sign-out URL, provided by the application owner, to be used when the user signs out of the application. In Pingfederate, you can retrieve this value by copying the Single Logout Service URL found in Application > Configuration.```
  • issuer: A unique value generated by the SAML identity provider specifying the issuer value.
  • provider: The provider’s name - for example: PingFederate.
  • label: The label to use for the SSO login button. If not provided, the Provider field value is used.
  • certificate: The certificate to verify the communication between the identity provider and Firebolt. The certificate needs to be in PEM or CER format, and can be uploaded from your computer by choosing Import certificate or entered in the text box.

  • field mapping: Mapping to your identity provider’s first and last name in key-value pairs. If additional fields are required, choose Add another key-value pair. Mapping is required for Firebolt to fill in the login’s given and last names the first time the user logs in using SSO. Here’s an example of how to set up field mapping:

    ```json  
  {
      "given_name": "name",
      "family_name": "surname"
  }
```

where the "given_name" (first name) is mapped to the "name" field from the IDP, and the "family_name" (last name) is mapped from the "surname" field.
  3. Choose **Update changes**
SQL

Values for SQL to create the SSO connection are as follows:

ALTER ORGANIZATION acmeorg SET SSO = '{
  "signOnUrl": "https://auth.pingone.eu/74d536da-4d98-4fdd-83ae-63af461eb826/saml20/idp/sso",
  "issuer": "pingfederate",
  "provider": "pingfederate",
  "label": "PingFederate Company App",
  "certificate": "<certificate>"
}';

where

  • signOnURL is the Single Sign On Service URL obtained during PingFederate configuration,
  • issuer is the name of the issuer, ‘pingfederate’ in this case,
  • provider is the IdP name, ‘pingfederate’ in this case,
  • label is the text that will appear on the Sign in form (this defaults to <organization_name>-<provider if a value is not provided, for instance ‘acme-pingfederate`)
  • certificate is the X.509 certificate in PEM format downloaded in setup.