Skip to main content

SSO integration with PingFederate using SAML

Connect docs via MCP
Looking for PingFederate OAuth instead?

This guide covers PingFederate as a SAML identity provider for logging into Atlan. For PingFederate as an OAuth identity provider for querying Snowflake from Atlan Data Exploration, see SSO integration with PingFederate using OAuth.

Configure SAML 2.0 single sign-on so your users sign in to Atlan with their PingFederate credentials. Setup moves metadata in both directions: you copy Atlan's service provider details into a new SP Connection in PingFederate, then import PingFederate's identity provider metadata back into Atlan.

PingFederate is an on-premises enterprise IdP with no app gallery. Configuration is done in the PingFederate Admin Console and requires a PingFederate administrator. Start in Atlan, complete the SP Connection in PingFederate, then return to Atlan to finish.

Prerequisites

Before you begin, make sure you have:

  • Admin access in Atlan. Only admins can configure SSO.
  • Administrator access in PingFederate so you can create an SP Connection and export IdP metadata.
  • A decision on the default role new users receive on first sign-in (Admin, Member, or Guest). Set it in Set default role for SSO users. Most workspaces use Member.

Copy Atlan's service provider metadata

  1. In your Atlan workspace, click Settings from the left menu.

    If you are using the Old UI (Classic), from the left menu, click Admin.

  2. Click SSO.

  3. Click New, then select SAML 2.0 as the provider.

  4. For Alias, enter a short identifier for this connection (for example, pingfederate), then click Next.

  5. Under Service provider metadata, copy both values. You will paste them into PingFederate in the next step:

    • Atlan SAML Assertion URL
    • Atlan Audience URI (SP Entity ID)
    PingFederate requires two ACS URLs

    PingFederate must handle both IdP-initiated and SP-initiated SSO flows. The two assertion URLs for your connection are:

    • SP-initiated SSO: https://{{instance}}/auth/realms/default/broker/{{alias}}/endpoint
    • IdP-initiated SSO: https://{{instance}}/auth/realms/default/broker/{{alias}}/endpoint/clients/atlan-saml

    where {{instance}} is your Atlan workspace URL and {{alias}} is the alias you entered above. Add both as ACS endpoints in PingFederate to support both login flows.

Keep this tab open. You will return here to finish setup.

Configure PingFederate as SAML IdP

The following steps are performed in the PingFederate Admin Console by a PingFederate administrator.

  1. Log into the PingFederate Admin Console.

  2. In the left menu, go to Applications and click SP Connections.

  3. Click Create Connection.

  4. Under Connection Type, select Browser SSO Profiles and set the protocol to SAML 2.0, then click Next.

  5. Under SP Entity ID, enter the Atlan Audience URI (SP Entity ID) you copied from Atlan.

  6. Under Connection Name, enter a recognizable name for this connection (for example, Atlan), then proceed to the Browser SSO configuration.

  7. Under Assertion Consumer Service (ACS) URLs, add both assertion URLs:

    • Add the SP-initiated URL (/endpoint) and set it as the default binding.
    • Add the IdP-initiated URL (/endpoint/clients/atlan-saml) as a secondary binding.

    Both must be present to support users signing in from the Atlan login page (SP-initiated) and from a PingFederate application portal (IdP-initiated).

  8. Under Attribute Contract, configure PingFederate to send the following attributes in the SAML assertion:

    • firstName
    • lastName
    • email
    • memberOf (required for group mapping in Atlan)

    Map each attribute to the corresponding value from your user store in the Authentication Source configuration.

  9. Under Signature Policy, check Always sign assertion. Set the signing algorithm to RSA-SHA256.

  10. Complete the remaining connection steps in PingFederate (credentials, activation), then save the SP Connection.

  11. Export the IdP metadata XML from PingFederate. You can find it under the SP Connection's summary page or via PingFederate's federation metadata endpoint. Save the file as .xml.

    info

    The SSO URL in PingFederate's metadata must be reachable from Atlan over an internet connection.

Import PingFederate's metadata into Atlan

With the SP Connection configured in PingFederate, go back to Atlan to finish. Open your Atlan SSO settings (the SAML 2.0 provider you started in the first step) and:

  1. Under Identity provider metadata, provide the metadata from PingFederate one of two ways:

    • Import from XML (recommended): click Import from XML and select the metadata XML file you exported from PingFederate.
    • Enter manually: paste the SAML SSO URL and the x.509 certificate from PingFederate into their respective fields.
  2. Click Save.

Your users can now sign in to Atlan with PingFederate. By default, they can still sign in with a local Atlan account too. To require PingFederate, enable Enforce SSO (see below).

Enforce SSO (optional)

Once PingFederate SSO works, you can disable local email-and-password sign-in so everyone authenticates through PingFederate:

  1. In Atlan, go to Settings → SSO and open your PingFederate provider.

  2. Enable Enforce SSO.

After enforcing SSO, have your PingFederate administrator manage access from PingFederate rather than inviting users directly in Atlan. Assigned users are provisioned automatically on their first sign-in.

Troubleshooting

Invalid signature error

If you encounter an Invalid signature error after setup, verify that the certificate in the PingFederate metadata XML is of the SHA-256 or SHA-512 type. MD5 and SHA-1 certificates are not accepted. Re-export the metadata from PingFederate after updating the certificate algorithm if needed.

SP-initiated login fails but IdP-initiated works (or vice versa)

Each login flow uses a different ACS URL. If one flow fails, confirm that both URLs are registered as ACS endpoints in the PingFederate SP Connection:

  • SP-initiated: https://{{instance}}/auth/realms/default/broker/{{alias}}/endpoint
  • IdP-initiated: https://{{instance}}/auth/realms/default/broker/{{alias}}/endpoint/clients/atlan-saml

Check that the SP-initiated URL is set as the default binding in PingFederate.

404 error when logging in

A 404 error on the PingFederate side can indicate that the SP Connection requires a signed authentication request. Navigate to the Signature Policy tab in your PingFederate SP Connection and uncheck Always Sign Assertion. For details, see PingFederate SSO 404 error.

General SSO sign-in issues

For attribute mapping errors, group sync issues, or user provisioning failures, see Troubleshooting SSO. Contact Atlan Support if the issue persists.

See also