PingFederate

Download the SSO settings for your iManage environment

Before you begin, download the settings in XML format for your iManage environment. These settings are used to configure PingFederate for your iManage environment.

In iManage Control Center, navigate to Network & Security > Authentication & SSO, then select Download XML.

Figure: Download XML option in iManage Control Center

images/download/attachments/125061245/image2021-8-4_8-47-28.png

Configure SSO in PingFederate

Complete the following steps in PingFederate to configure single sign-on for iManage users:

  1. Sign in to the PingFederate administrator console.

  2. Navigate to SP Configuration.

  3. To create a new SP Connection, select Create Connection.

    NOTE:

    When migrating from the Identity Provider (Legacy) SAML SSO to the Service Provider (Recommended) SAML SSO configuration in iManage Control Center, we recommend that you do not modify an existing connection in PingFederate. Creating a new SP connection in PingFederate enables you to preserve your existing SSO application and roll back to it if the need arises.

  4. On the Connection Template tab, select Do not use a template for this connection, and then select Next.

  5. On the Connection Type tab, select Browser SSO Profiles, specify SAML 2.0, and then select Next.

  6. On the Connection Options tab, select Next.

  7. On the Import Metadata tab, select File.

    1. Select Choose File.

    2. Select the XML file you downloaded from iManage Control Center.

    3. Select Open, and then select Next.

  8. On the Metadata Summary tab, the information from the XML file is displayed. Confirm the information, and then select Next.

  9. On the General Info tab, confirm the information displayed, and then select Next.

  10. On the Browser SSO tab, select Configure Browser SSO.

    1. For both Single Sign-on Profiles and Single Logout Profiles, select SP-initiated SSO, and then select Next.

    2. On the Assertion Lifetime tab, and then select Next.

    3. On the Assertion Creation tab, and then select Configure Assertion Creation.

      1. On the Identity Mapping tab, select Standard, and then select Next.

      2. On the Attribute Contract tab, under Extend the Contract, select or enter the following:
        Attribute Contract: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Attribute Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
        Figure: SP Connections | SP Connection | Browser SSO | Assertion Creation
        images/download/attachments/125061245/image2021-8-5_16-55-4.png

      3. Select Add.

      4. Select Next.

      5. On the Authentication Source Mapping tab, select Map New Adapter Instance.

        1. On the Adapter Instance tab, select the adapter that you have previously configured in PingFederate. To create a new adapter, select Manage Adapter Instances. For instructions about configuring an adapter, see the PingFederate documentation.

        2. Select Next.

        3. On the Mapping Method tab, select Use only the adapter contract values in the SAML assertion, and then select Next.

        4. On the Attribute Contract Fulfillment tab, set the following values:
          Source: Adapter
          Value: username
          Figure: SP Connection | SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping

          images/download/attachments/125061245/image2021-8-5_17-6-18.png
        5. Select Next.

        6. On the Issuance Criteria tab, select Next.

        7. Select Done to return to the Assertion Creation section.

      6. Select Next to view the Assertion Creation Summary tab.

      7. Select Done to return to the Browser SSO section.

    4. Select Next to view the Browser SSO > Protocol Settings tab.

    5. Select Configure Protocol Settings.

      1. On the Assertion Consumer Service URL tab, select Next.

      2. On the SLO Service URLs tab, select Next.

      3. On the Allowable SAML Bindings tab, deselect ARTIFACT and SOAP. Only select POST and REDIRECT.

      4. Select Next.

      5. On the Signature Policy tab, select Sign response as required. All three options on this page should be selected.

      6. Select Next.

      7. On the Encryption Policy tab, select Next.

      8. On the Summary tab, select Done.

    6. On the Browser SSO > Summary tab, select Done.

  11. Select Next.

  12. On the Credentials tab, select Configure Credentials.

    1. On the Digital Signature Settings tab, set Signing Certificate to the certificate available.

    2. Select Include the certificate in the signature <keyinfo> element.

    3. Select Include the raw key in the signature <keyinfo> element.

    4. Set Signing algorithm to RSA SHA256 (or whatever algorithm your certificate uses).

    5. If necessary, select Manage Certificates to add a manage your certificates.

    6. Select Done.

  13. On the Credentials tab, select Configure Credentials.

    1. On the Digital Signature Settings tab, select Next.

    2. On the Signature Verification Settings tab, select Manage Signature Verification Settings.

      1. On the Trust Model tab, select Next.

      2. On the Signature Verification Certificate, confirm that the certificate is added. This certificate is used to decode messages from iManage.

      3. Select Done.

    3. On the Credentials > Summary tab, select Next.

  14. On the Activation & Summary tab, select Save.

  15. To export the federated metadata XML file for the SP Connection, select Export Metadata, as shown:
    Figure: Select Action > Export metadata

    images/download/attachments/125061245/2021-08-05_17-41-56.png
  16. Select Next. You do not need to sign the metadata file.

  17. On the Export & Summary tab, select Export. The metadata file is downloaded to your browser.

  18. Done.

  19. Import the Federated Metadata XML file into iManage Control Center by returning to iManage Control Center and completing the steps in Authentication & SSO.