In this new post we will show you a “step by step” on how to set up SAML on Ping Identity’s portal and how to set this up in Thinfinity Remote Desktop.
First of all, open the Thinfinity Remote Desktop manager and go to the ‘Authentication’ tab. Once there, click ‘Add’ and select ‘SAML’:
Add a “Name” and “Virtual Path”. For testing purposes use ‘SAMLACS’ as Virtual Path (we will use this information later on):
Now, log into your Ping Identity admin portal and create a new “Web App”.
Select the SAML option:
Fill out “Name”, “Description” and click next:
In the next step we have to configure the Assertion Consumer Service URL, you must enter your public URL for your Thinfinity Remote Desktop server followed by the Virtual Path of the authentication method you configured in the Thinfinity Remote Desktopmanager:
So this should look something like this: http(s)://Server_DNS:port/SAMLACS
Below the ACS URL you will be able to download the signin certificate. Download this and store it somewhere in your Thinfinity Remote Desktop server:
Enter the “Entity ID” URL, this is the public URL for your Thinfinity Remote Desktopserver (e.g. http(s)://Server_DNS:port):
Set the assertion validity duration, the minimum value is 60 seconds:
In the SAML Attributes, choose ‘Email Address’ and click ‘Save and Continue’.:
Now that we have SAML configured in Ping Identity, we have to set up Thinfinity Remote Desktop. Before we go to the Thinfinity Remote Desktop manager, select the ‘Configuration’ tab of your SAML application and copy the ‘Issuer ID’ and ‘Single Sign On Service’:
Back in the VirtualUI manager, we need to fill the following information:
- Service Identifier = Identity Provider “Entity ID”
- Service Certificate File = Your certificate file
- Service Certificate Password = Your certificate’s password
- Identificacion Entity ID = Issuer ID
- Single Sign-On Service URL = Identity Provider “Single SignOn Service URL”
- Sign-Out URL = This value is optional
- Partner Certificate File = X.509 Certificate provided by Ping Identity
Back in the ‘Authentication’ tab, switch to the ‘Mappings’ tab and map your email address to the local AD user or group:
Above, I mapped an email address to an AD user, but you can also use a wild-card. For instance, you can add “*@cybelesoft.com” as “Authentication ID mask” and map this back to the ‘Cybelesoft\Domain Users’ group in your AD.
Finally we have to enable user access to SAML on Ping Identity, you will find a little switch to do so in its settings:
It should look like this:
Now after applying the changes to the Thinfinity Remote Desktop manager,go to the Thinfinity Remote Desktop site and you should be able to see the ‘Ping Identity SAML’ authentication method listed:
If you have any questions regarding the SAML configuration, you can leave a comment below or send us an email at [email protected]. Cheers!