How to proper setup samly for PingFederate SP connection

Hello,

I’m quite new to SAML and Samly, so do not hesitate if I do not provide enough information.

I’m trying to setup properly my Samly (static config) to worked with a local self hosted PingFederate instance.
For now I can reach PingFederate form but after submit SAML Challenge come to my Elixir app, SAMLY throws an error:

access_denied {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/Users/xxxx/.../app-umbrella/deps/esaml/src/xmerl_dsig.erl', line: 197]},
{:esaml_sp, :"-validate_assertion/3-fun-2-", 2...

I understand that assertions validation failed and assume that is related to either config in PingFederate side or SAMLY’s.

Here is my local SAMLY static config for my IDP

%{
      id: local_idp_id,
      sp_id: local_sp_id,
      base_url: "#{base_url}/#{local_idp_id}/sso",
      metadata_file: "metadata-pingfederate-local.xml",
      pre_session_create_pipeline: AppWeb.PingoneSamlPipeline,
      allow_idp_initiated_flow: true,
      use_redirect_for_req: false,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: false,
      nameid_format: :transient
    }

the related SP is configured and already used by other IDPs.

My frictions points are on some settings set up on PingFederate admin tool.
Here are some one of them:

  1. What value for nameid_format? The assertion creation allows 3 choices: Standard, Pseudonym and Transient. I’m only aware of persistent and transient for SAMLY config so I chose transient
  • STANDARD: Send the SP a known attribute value as the name identifier. The SP will often use account mapping to identify the user locally.
  • TRANSIENT: Send the SP an opaque, temporary value as the name identifier.
  1. What boolean values for sign_requests and signed_assertion_in_resp, in fact in PingFederate we can choose following properties for Signature Policy: Require digitally signed AuthN requests , Always Sign Assertion. and Sign Response As Required , I’ve only checked Always Sign Assertion to match sign_requests and signed_assertion_in_resp .
  2. I’ve checked SP-Initiated SSO to match allow_idp_initiated_flow.

I’ve read :badmatch error upon verifying response from ADFS · Issue #42 · handnot2/samly · GitHub and Why I am getting this badmatch error when trying to connect to websocket but without matching the current problem.

I’m a bit lost to find the right way to fix my configuration, so I’m looking for cross config matching.

Thanks by advance.

That has been quite challenging to make it work…

Mainly I have been using default config from samly doc, but the thing really important is to set the right entity_id in the service_providers section.

I am using transient for nameid_format.

Once done, I started to receive valid challenge.

It took also some time to configure https. I made some fake certifs, but it worked much better with the real one.

BTW I don’t know about PingFederate SP, but I made it work with Azure Federation Services.

Hello back @kokolegorille ,
Sorry for the delay !
Thanks for the answer . I had already an https configuration so that was not a problem but it’s a good idea to point this !
I succeeded by setting up the right entity_id in pingfederate and in my app.
I was already using transient as nameid_format and indeed it’s the right one accordingly to my pingfederate setup.

I don’t know really what was the fix but I think it’s a global thing between entity_id and boolean values such as signed_assertion_in_resp . In fact it’s related to my custom pingfederate config so there is no absolute config for a pingfederate config in SAMLY, always related to the config.

Thanks for your answer and your time again @kokolegorille .