Introduction
The SP Sample Application is used to demonstrate and test the features of PingFederate. It allows a user to initiate Single Sign
on to any of the configured IdP connections and also to perform single logout.
Configuring SpSample
The SP Sample App config files are located in the folder SpSample/config and are listed below,
pfagent-sp.properties
This file contains the agent properties which are generated from the Standard Adapter in PingFederate. Please refer to the PingFederate Manual for more information.
pingfederate-sp-config.props
This file contains properties to configure the sample app. You can set the base URL for PingFederate and the sample app as well as define additional attributes.
- hostPF
Specify the base URL for PingFederate. (We recommend using SSL for
a production environment.
- hostAppSp
Specify the URL for the sample SP application
- attributeNamesList
In order to specify additional attributes add the attribute names to this
property. For e.g, to specify two additional attributes -- attribute1 and
attribute2 -- the following line would be modified to
attributeNamesList=password,attribute1,attribute2. The values of these
attributes are specified in the property file "pingfederate-sp-demo-users.props"
- transferMethod
PFTOKEN can be sent as a cookie or cookie parameter. The "transferMethod"
can be set to either "cookie" or "cookie".
- accountLinking
PingFederate supplies two modes for identity mapping of disparate user accounts
between different domains: Account Linking and Account Mapping. Set parameter
to "true", if you are using Account Linking mode.
pingfederate-sp-demo-users.props
This file contains a list of users with their attributes. You can modify the existing values as well as add/delete users.
Using SpSample
The SP Sample App can be used to demonstrate the following scenarios
-
Local Login
Follow the following steps to login,
- Start the SP Sample App by entering the following URL in your browser,
hostAppSp/SpSample
- Login to the app by selecting a user and entering the password. (The default password is "test").
-
Login through IdP
Follow the following steps to login through IdP,
- Start the SP Sample App by entering the following URL in your browser,
hostAppSp/SpSample
- Select the required IdP from the dropdown and click login.
-
Local Logout
Follow the following steps to logout,
- Access the main page of the SP Sample App by entering the following URL in your browser,
hostAppSp/SpSample
- Click Local Logout.
-
SP-initiated SSO (IdP Connection)
Follow the following steps to perform SP-initiated SSO,
- Perform Local Login as specified above.
- Click on the Sign on image within the IdP Connection.
-
SP-initiated SLO (Single Logout)
Follow the following steps to perform SP-initiated SLO,
- Perform SP-initiated SSO as specified above.
- Access the SP Sample App by entering the following URL in your browser,
hostAppSp/SpSample
- From the main page, click "Single Logout".
-
User Attributes
By default the SP Sample App is configured to use userId. You can add additional attributes to this list as follows,
- Open pingfederate-sp-config.props in a text editor.
- Edit attributeNamesList to add names of additional attributes.
- Perform Local Login as specified above.
- You should now see the additional attributes in the User Attributes table.
-
De-federate
Click De-federate to disassociate account link with the IdP. This is only applicable for account linking. Follow the following steps to de-federate.
- Setup PingFederate to use Account Linking. For more information, please refer to the PingFederate Manual.
- Make sure accountLinking is set to true in the config file pingfederate-sp-config.props.
- Perform Login through IdP as specified above.
- Once Account Linking is established, click De-federate from the SP App main page. This will sever the account link in PingFederate.
-
Re-authenticate (ForceAuthn)
Controls whether the identity provider authenticates the Principal regardless of whether the Principal is
already authenticated. This element is specified only when IsPassive is uncheked. If ForceAuthn
is checked, specifies that the identity provider MUST always authenticate the Principal, regardless of whether
the Principal is presently authenticated, otherwise, the identity provider MUST re-authenticate
the user only if the Principal is not presently authenticated.
-
Allow User Interaction (isPassive)
If checked specifies that the identity provider MUST NOT interact with the Principal and MUST NOT take
control of the user interface from the service provider, otherwise the identity provider MAY interact with
the user and MAY temporarily take control of the user interface for that purpose.
-
Multiple IdP Connections
The SP Sample App can be modified to read IdP connections from a properties file, as follows,
- Copy SpSample/template/pingfederate-sp-connections.props.
to SpSample/config/ folder.
- Edit the file pingfederate-sp-connections.props to create one or more IdP connections.
- Access the SP Sample App by entering the following URL in your browser,
hostAppSp/SpSample
- After login, you should see a list of IdP connections as configured in the properties file.