SearchStax Site Search Single Sign-On (SSO) Setup for PingFederate

---

The SearchStax Site Search solution now offers the ability for customers to set up PingFederate Single Sign-On (SSO) to let their users log in with a single ID and password that works across multiple software systems.

We use the open standard Security Assertion Markup Language (SAML) to allow identity providers (IdP) to pass authorization credentials to service providers (SP). This page provides instruction to use PingFederate to implement SSO for SearchStax.

SSO is an add-on Site Search feature that is available with the Advanced and Premium plans.

Instructions

Once SSO is enabled by SearchStax for your account, and a domain is set up, the options to set up SSO appear in the My Profile screen of the My Account menu:

The Set Up Single Sign-On button leads to a screen of configuration URLs and feature options. You will need to refer to this screen while setting up the SSO profile with the Identity Provider.

This screen contains the following fields and options:

• Assertion Consumer Service (ACS) URL: Note that the URL includes your SSO domain (called mydomain in the following discussion).
• Metadata URL: SearchStax metadata endpoint.
• Enable Checkbox: If checked, SSO is enabled for this account.
• Assertion Responses Signed: Use the droplist to indicate whether assertions and/or responses should be signed.
• Allow Email Password Login Checkbox: If check, permits login by email/password in addition to SSO.
• Auto Create Users Checkbox: Should a new user account be created the first time a user logs in?
• IDP Entry URL: Identity provider URL.
• Metadata URL: The SAML 2 Metadata URL.
• Sign-In URL: The URL used for signing into the SAMP Identity Provider.
• Sign-Out URL (Optional): The URL shown after a successful sign-out.

PingFederate Setup

Note: Make sure you have an Adapter already set up inside PingFederate!

1. Go to PingFederate IdP administration console and select the Create New button underneath the SP Connections section:
   
2. In the Connection Type tab select the Browser SSO Profiles/SAML 2.0 Template then click Next. In the Connection Options continue with Browser SSO and hit Next again:
   
3. The next tab is the Import Metadata tab. You can choose to extract our metadata from the URL (shown in a screenshot above the instructions) in our dashboard and import it here, this will prefill some future sections for you:
   
4. In the General Info tab you will need to ensure that the following boxes have the correct information in them whether you imported our metadata or not.
   
   The Entity ID box should contain our EntityID which is also our metadata URL.
   
   Connection Name is whatever you want to use to identify this connection in your PingFed dashboard.
   
   Virtual Server IDS is important because it will overwrite your “master” EntityID and display a value in your metadata that we require to connect properly. This will also need to be in a URL format so something like https://sso-t.com/idp/SSO.saml2 is recommended.
   
   After this scroll to the bottom and click next
   
   
5. The next tab is where you will configure the Browser SSO settings. After clicking configure Browser SSO select SP-Initiated SSO and hit Next.
   
   We left the Assertion Lifetime settings as default and then hit next again.
   
   
6. Next we need to configure the Assertion Creation by clicking the Configure Assertion Creation button. Keep standard identity mapping and hit Next. In the Attribute Contract tab you will need to pass surname, email, and givenName in the assertion via the Extend the Contract sections and then hit Next.
   
   
7. Now that the attributes are created they need to be mapped. This is done with the Map New Adapter Instance button on the Authentication Source Mapping tab.
   
   Here you will select the Adapter you have configured for this connection and then hit Next until you come to the Attribute Contract Fulfillment tab.
   
   Here you will map your values to the email, surname, and givenName attributes being passed from your end, when finished hit Next and then the Done button until you see the Configure Protocol Settings button.
   
   
   
8. When configuring the protocol you will want to send your POST requests to the ACS URL provided in our SearchStax dashboard.
   
   It will look something like this *.searchstax.com/saml2/acs/ then hit Next until you arrive at the Signature Policy Tab.
   
   Here you will select the Always Sign the SAML Assertion box. Now hit Next again until you get to the Configure Credentials button.
   
   
   
9. Here you are selecting the valid certificate used in your signings:
   
   
   Now hit Next and review all the tabs that are presented. If everything looks good you can activate the connection and then hit Save.
   
   
10. When you are finished settings things up in PingFed you will need to come back to our dashboard and input the values of your SSO:
    
    
    We need your IdP Entity URL, as discussed above this will be your VSID that you configured specifically for this connection.
    The URL to your metadata.
    Then finally the Login URL used for this connection.
    Once the above is added you can select the Enabled box and hit Save Settings.
    
    

Login Using SSO

The Site Search sign-in screen provides a button at the bottom for SSO – “Sign-In With your ID Provider.” Click this button.

Enter the domain that was set up for the client.

Click Continue. This takes you to the PingFederate Sign-in page. After you authenticate, it brings you back to your Site Search Dashboard.

Alternately, you can directly go to https://<Subdomain>.searchstax.com to login, and clicking on the “Sign-In With your ID Provider” will take you directly to PingFederate.

SSO + Two-factor Authentication

A User can have SSO and Two-Factor authentication both set up. The 2FA settings for a user will apply to all accounts that the user has access to.

However, for the account that has SSO Setup, SearchStax 2FA settings will not apply. In that case, 2FA should be set up at the SSO Provider.