This tutorial demonstrates how to integrate Criipto Verify with PingFederate. The following steps are required to complete your first login:
- Prepare an application in Criipto Verify that represents your PingFederate tenant
- Create an authentication source in your PingFederate tenant which connects to the Criipto Verify application
- Complete the application configuration in Criipto Verify
- Integrate your own application with PingFederate
In the following you will be configuring first Criipto Verify, then PingFederate, and then back to finalizing the configuration in Criipto Verify.
The final step in this excercise is needed because of a catch-22 between the requirements of the configuration steps on the two platforms, respectively:
- Creating an application in Criipto Verify requires you to specify a callback URL to PingFederate before you can save the application configuration and get your hands on the generated client secret.
- Getting the callback URL to PingFederate requires that you create an authentication source, which in turn requires the client secret from Criipto Verify, but you don’t have the secret yet because you need the callback URL
which is a bit of a chicken-and-egg-problem, unfortunately. We suggest that you break the deadlock by configuring a temporary (bogus) callback URL in the first step in Criipto Verify, and then replace it with the actual value available after the authentication source is created.
As the setup requires some switching back-and-forth between Criipto and PingFederate’s respective management dashboards, we recommend that you have them open simultaneously to make the process fairly smooth.
Once configured you may test that everything works from PingFederate’s
Prepare Criipto Verify application
First, you must register your PingFederate tenant as an application in Criipto Verify.
Once you register your PingFederate tenant, you will also need some of the information for configuring PingFederate to communicate with Criipto Verify. You get these details from the settings of the application in the dashboard.
Specifically you need the following information to integrate with PingFederate:
- Client ID to identify your PingFederate tenant to Criipto Verify. In the case below we chose
- Domain on which you will be communicating with Criipto Verify. Could be for example
- Client secret which PingFederate needs to fetch actual user information from Criipto Verify during login. The secret is generated when you save the new application.
Click the Save button - and a popup will appear after a little while with your client secret. Make a copy of it (preferably by pasting it directly into your PingFederate authentication source configuration).
The application details pane will be hidden automatically - you can expand it again by clicking anywhere on the line item with the name of your new application (in this article, that would be
Create PingFederate authentication source
On the dashboard of your PingFederate tenant, go to the
Authentication tab and click on the
IdP Connections tile
Click the Create Connection button and choose
BROWSER SSO PROFILES in
Connection Type and then
OpenID Connect in the
Click the Next button, choose
BROWSER SSO in
Click the Next button, enter your specific Domain authority in the
ISSUER field and click the Load Metadata button
Give the connection a recognizable name, copy-paste the Client ID and Client secret values from your Criipto Verify application
Click the Next button and then click the Configure Browser SSO button
NO MAPPING for the
Click the Next button and add the claim types that you want to consume in the
You can find the available claim types here.
Click the Save button and the callback URL you need to finalize the Criipto Verify application configuration is displayed - in PingFederate terms, though, the callback URL is called a
Complete the application configuration in Criipto Verify
Expand the details of the application configuration if you haven’t already done so in the first step.
Replace the temporary callback URL (from step 1,
https://example.com in this article) in your Criipto Verify application with the actual value now available from your PingFederate authentication source configuration (the value of the
Redirect URI above)
and click the Save button.
Integrate your own application with PingFederate
How to integrate your application with PingFederate depends on the technology you are working with. Refer to the PingFederate developer documentation for more details.
If you want to use pass-through of
login_hint values sent from your own application to Criipto Verify via PingFederate, you must enable it via a
Policy in your
IDP AUTHENTICATION POLICIES.
If you haven’t already done so, create a
Policy Contract with the attributes you wish to consume
- available claim types can be found here
Then create a
Policy for your
IdP Connection to Criipto Verify and set the
Incoming User ID to be sourced from
Context and use the
Requested User value.