We are trying to do the integration of the SSO sign-in with customer's IdP and faces some issues.
Customer is using Ping federate which is the on-premise version of Ping Identity.
We know this is a non-supported platform, but considering customer can change the configuration on the IdP side, they would like to try the integration.
We have configured our org to connect to customer's IdP by using Ping SSO.
We also configured customer' IdP as per the documentation to be used for Ping SSO.
When performing authentication using Ping Identity on the login page, after entering the credentials on the customer's IdP page, the redirection to Purecloud fail to complete and we got the error page asking to contact the administrator.
Looking at the SAML exchange, we cannot understand why this is failing on Purecloud side. There may be some missing fields.
I have log a ticket to request log from Purecloud application to understand the reason of the failure, but the support team indicated they cannot assist on collecting the log or giving us the reason of the failure and suggested us to reach out the developer forum.
Will it be possible to provide us with additional logs or reason of the failure?
The case number is 0002295494 and contains the SAML exchange including the time of the test.
I see, thanks for the information. I have been told the opposite...
I noticed that in the request, PureCloud set the NameID policy to transient:
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
The IdP return an "encrypted" NameID, so I am wondering how Purecloud can link the request back to the user.
Can you help us to confirm which field in the SAML response is used to identify the user once authenticated when using Ping Identity as SSO?
Alternatively, do you have an example of SAML response we can use as a reference?
I've asked the auth team to take a look. They have asked for the correlation id from the redirect issued by Ping to PureCloud. Can you provide that please?
Did you managed to get more information with the information I provided?
Following further investigation, customer set-up a Ping One test account and managed to complete the integration, and we noticed that in the NameID, PingOne put the email in clear wheres as the field is set to be urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
It looks like that this confuse Ping Federate which seems to put a random value.
Customer would like to know the reason to request a transient value for the NameID and if there is a way to put to request an email instead.
Some IDPs always set the subject to their user id, the way to get around that is to add the user's email address as the SAML parameter "email" the same way as they do with the "OrganizationName".