From c3d5986557103055a7e3c2b1a9758bcc4b274fa8 Mon Sep 17 00:00:00 2001 From: kennyj42 <73258453+kennyj42@users.noreply.github.com> Date: Thu, 15 May 2025 14:53:42 -0500 Subject: [PATCH 1/3] Update pingfederate-saml.mdx Our account team found this issue in a customer POC. You need to ensure you're also sending a certificate as part of the SAML response --- .../idp-integration/pingfederate-saml.mdx | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx index 805ea6cba88023..db06033ac58074 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx @@ -19,29 +19,33 @@ These can be any value. A prompt displays to select a signing certificate to use 5. In the **SAML attribute configuration** dialog select **Email attribute** > **urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress**. +6. Go to SP Connections > SP Connection > Credentials + +Add the matching certificate that you upload into the Cloudflare SAML configuration for Ping. Select "include the certificate in the signature element". + :::note There is an additional setting for PingFederate prior to 9.0. ::: -6. In the **Signature Policy** tab, disable the option to **Always Sign Assertion**. +8. In the **Signature Policy** tab, disable the option to **Always Sign Assertion**. -7. Leave the option enabled for **Sign Response As Required**. +9. Leave the option enabled for **Sign Response As Required**. This ensures that SAML destination headers are sent during the integration. In versions 9.0 above, you can leave both of these options enabled. -8. A prompt displays to download the SAML metadata from Ping. +10. A prompt displays to download the SAML metadata from Ping. This file shares several fields with Cloudflare Access so you do not have to input this data. -9. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. +11. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. -10. Under **Login methods**, select **Add new**. +12. Under **Login methods**, select **Add new**. -11. Select SAML. +13. Select SAML. -12. In the **IdP Entity ID** field, enter the following URL: +14. In the **IdP Entity ID** field, enter the following URL: ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback @@ -49,9 +53,9 @@ https://.cloudflareaccess.com/cdn-cgi/access/callback You can find your team name in Zero Trust under **Settings** > **Custom Pages**. -13. Fill the other fields with values from your Ping dashboard. +15. Fill the other fields with values from your Ping dashboard. -14. Select **Save**. +16. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. From e8a66b98f4eef4542ea32b9ce153cbe82a279186 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Thu, 15 May 2025 16:11:31 -0400 Subject: [PATCH 2/3] Apply suggestions from code review --- .../identity/idp-integration/pingfederate-saml.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx index db06033ac58074..f3a409b3cfbd6d 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx @@ -19,9 +19,9 @@ These can be any value. A prompt displays to select a signing certificate to use 5. In the **SAML attribute configuration** dialog select **Email attribute** > **urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress**. -6. Go to SP Connections > SP Connection > Credentials +6. Go to **SP Connections** > **SP Connection** > **Credentials**. -Add the matching certificate that you upload into the Cloudflare SAML configuration for Ping. Select "include the certificate in the signature element". +7. Add the matching certificate that you upload into the Cloudflare SAML configuration for Ping. Select **Include the certificate in the signature element**. :::note There is an additional setting for PingFederate prior to 9.0. From b89d8c005288c280ba8653d4c70dfb243b80036c Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Thu, 15 May 2025 16:22:54 -0400 Subject: [PATCH 3/3] Update src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx --- .../identity/idp-integration/pingfederate-saml.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx index f3a409b3cfbd6d..8d5d2358a4b00c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx @@ -21,7 +21,7 @@ These can be any value. A prompt displays to select a signing certificate to use 6. Go to **SP Connections** > **SP Connection** > **Credentials**. -7. Add the matching certificate that you upload into the Cloudflare SAML configuration for Ping. Select **Include the certificate in the signature element**. +7. Add the matching certificate that you upload into the Cloudflare SAML configuration for Ping. Select **Include the certificate in the signature `` element**. :::note There is an additional setting for PingFederate prior to 9.0.