Skip to main content

PingFederate IdP factor MFA integration

Arculix integrates with PingFederate to enable increased security with Arculix's intelligent Multi-factor Authentication. This integration uses PingFederate's IdP Adapter Plugin feature to enable Arculix intelligent MFA. This allows administrators to configure their PingFederate SSO applications to require Arculix's Smart MFA before authenticating users.

Prerequisites

  • An Arculix account with a configured Identity Provider.

  • A user with administrative privileges for the PingFederate admin panel.

  • A user with administrative privileges for the Arculix services.

  • The Arculix SAML Metadata XML file for your account.

  • The Arculix PingFederate IdP Adapter

Install the Arculix PingFederate IdP Adapter plugin

  1. Download the Arculix PingFederate IdP Adapter plugin JAR file from the Arculix Download Center.

    arculix_pingfed_idp_plugin.png
  2. Install the JAR file in the deploy directory for your PingFederate instance.

  3. Restart the PingFederate server.

Add a new IdP Adapter instance

In the PingFederate admin panel, add a new IdP Adapter instance.

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download: https://sso.arculix.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.arculix.com/<myorganization>/saml/metadata

    Certificate download: https://sso.arculix.com/<myorganization>/saml/download/cert

  2. Log in to the PingFederate admin panel..

  3. Select Authentication > IdP Adapters > Create New Instance.

  4. In the Type section, set the following:

    Instance Name

    Enter a unique name.

    For example, Arculix.

    Instance Id

    Enter a unique ID.

    For example, arculix.

    Type

    Set to Arculix IdP Adapter.

    Parent Instance

    Set to None.

    ping_create_adapter_instance.png
  5. Click Next.

  6. In the IdP Adapter section, set the following:

    Application Issuer ID

    Enter a unique ID.

    For example, PingFederate Arculix Plugin.

    Application Metadata File

    Upload the Arculix metadata file downloaded in Step 1.

    SP Certificate

    Select an existing certificate or click Manage Signing Certificates to create a new one.

    ping_idp_adapter_settings.png
  7. Click Next.

  8. In the Extended Contract section, click Next.

  9. In the Adapter Attributes section, set the following:

    Unique User Key Attribute

    Set to email.

    email

    Select the Pseudonym check box.

    ping_adapter_attributes.png
  10. Click Next.

  11. Click Configure Adapter Contract and do the following:

    1. In the Attribute sources & User Lookup section, click Next.

    2. In the Adapter Contract Fulfillment section, set the following:

      arculix_result

      Set to Adapter.

      email

      Set to Adapter.

      username

      Set to Adapter.

      ping_adapter_contract_fulfillment.png
    3. Click Next.

    4. In the Issuance Criteria section, click Next.

    5. Click Done.

  12. Click Next.

  13. Click Save.

Add chained adapter

In order to enable Arculix's MFA after initial authentication, we use a chained adapter.

  1. Select Authentication > IdP Adapters > Create New Instance.

  2. In the Type section, set the following:

    Instance Name

    Enter a unique name.

    For example, Chained Arculix.

    Instance Id

    Enter a unique ID.

    For example, chained.

    Type

    Set to Composite Adapter.

    Parent Instance

    Set to None.

    ping_create_chained_adapter.png
  3. Click Next.

  4. In the IdP Adapter > Adapters section, do the following:

    1. Click the Add a new row to 'Adapters' link.

    2. Set Adapter Instance to HTMLFormPD (or your primary authentication adapter).

    3. Click Update.

    4. Click the Add a new row to 'Adapters' link.

    5. Set Adapter Instance to your adapter instance. For example, Arculix.

    6. Click Update.

  5. In the IdP Adapter > Input User ID Mapping section, do the following:

    1. Click the Add a new row to 'Input User ID Mapping' link and set the following:

      Target Adapter

      Set to HTMLFormPD (or your primary authentication adapter).

      User ID Selection

      Set to username.

    2. Click Update.

    3. Click the Add a new row to 'Input User ID Mapping' link and set the following:

      Target Adapter

      Set to to your adapter instance.

      For example, Arculix.

      User ID Selection

      Set to email.

    4. Click Update.

    ping_chained_adapter_settings.png
  6. Click Next.

  7. In the Extended Contract section, do the following:

    1. Under Extend the Contract, enter username.

    2. Click Add.

    3. Under Extend the Contract,. enter email.

    4. Click Add.

    ping_chained_extended_contract.png
  8. Click Next.

  9. In the Adapter Attributes section, set the following:

    Unique User Key Attribute

    Set to email.

    email

    Select the Pseudonym check box.

    ping_adapter_attributes.png
  10. Click Next.

  11. Click Configure Adapter Contract and do the following:

    1. In the Attribute sources & User Lookup section, click Next.

    2. In the Adapter Contract Fulfillment section, set the following:

      arculix_result

      Set to Adapter.

      email

      Set to Adapter.

      username

      Set to Adapter.

      ping_adapter_contract_fulfillment.png
    3. Click Next.

    4. In the Issuance Criteria section, click Next.

    5. Click Done.

  12. Click Next.

  13. Click Save.

Add application to Arculix

Add PingFederate IdP Factor as a service provider in the Arculix admin panel. Some required information can be found in PingFederate.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, PingFederate.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_pingfedidp.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Upstream IdP

    Select the check box.

    Issuer or Entity ID

    Enter the Application Issuer ID provided by PingFederate.

    Log in URL

    Enter the URL provided by PingFederate.

    Metadata URL

    Leave blank.

    Username Field for Upstream IdP

    Set to mail.

    ACS URL

    Leave blank.

    Certificate

    Enter the X.509 public certificate provided by PingFederate.

    arculix_pingfedidp_saml_settings.png
  5. Save your changes.

User Experience

  1. After the admin has enabled IdP factor MFA, the user will be prompted to add this custom factor on their next login via PingFederate.

  2. The user then selects the IdP Factor option and is taken to a QR pairing screen.

  3. They can then download the Arculix Mobile application from Google Play Store or Apple App Store.

  4. The user opens the mobile application and is prompted to scan the displayed QR code.

  5. After scanning the QR code, the user's device is paired.

  6. On subsequent authentication attempts, the user will be asked to confirm the IdP factor MFA and be taken to the select MFA option by PingFederate.

  7. Upon approval of MFA, the user will be authenticated to their application.