Importing InCommon metadata into PingFederate

Every now and then the question pops up: “how can I import InCommon metadata into PingFederate”?

InCommon distributes SAML 2.0 metadata of all participants in the InCommon federation in a flat file. The individual EntityDescriptors of participants are included in a an outer XML element named EntitiesDescriptor. Out-of-the-box PingFederate won’t be able to consume this EntitiesDescriptor  because it only knows how to deal with a (single) EntityDescriptor at a time.

The good news is that PingFederate has a number of APIs that can be leveraged to get around this current limitation. It is not difficult to build a script that parses the individual EntityDescriptors out of the outer EntitiesDescriptor and pushes them one-by-one over the API  as single entities (cq. IDPs or SPs). A sample script that I wrote using the SOAP based Connection Management API can be found here:

https://github.com/zandbelt/php-pingfed-metadata/blob/master/provision.php

Here’s a screenshot of how the Admin GUI screen looks after the import of 1653 SPs and 349 IDPs from InCommon:

Screen Shot 2014-04-14 at 2.15.23 PM

And yes, this scripts works against arbitrary EntitiesDescriptors, e.g. the ones from the UK Access Federation or the Dutch SURFconext.

But there’s more: recently PingFederate has been extended with an Admin REST API. The REST API is even simpler to deal with than the SOAP API. As of today it only handles IDP connections but that functionality can already be used by an SP to process the InCommon metadata and e.g. update all of the certificates that have been replaced or renewed. In this way no manual update of key material is needed when IDPs rollover, add or remove signing certificates. The script can be found here:

https://github.com/zandbelt/php-pingfed-metadata/blob/master/update-verification-certs.php

So after importing or manually configuring a bunch of InCommon IDPs in PingFederate, the SP administrator can now run this script as a cronjob to automatically incorporate changes that the configured IDPs make to their signing keys.

In summary, these APIs and scripts allow for scaling up federation to large numbers of partners by automating maintenance tasks, and last but not least, it will make federation administrators sleep a lot better…

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Importing InCommon metadata into PingFederate

  1. Hanz,
    Great post and script. Ran it today and now have close to 2300 new IdP/SP connections. An issue that I have though is that when I click on “Manage All SP Connections” it take a long time to render the page and there’s are ton of log entries. It seems like Ping is doing some kind of check on every connection. Any thoughts on how we can improve on that?

    Thanks,
    James

  2. Hi James,

    As mentioned in the comments at the top of the script (last one comment):
    “Be sure to switch off auto-connection-validation in the System Options of the Server Settings of the PingFederate management console to avoid an unusably slow console when dealing with a large number of connections.” That should help.

    Hans.

  3. Hi Hans,

    Does PingFederate 6.4 have similar capabilities as the ones described by your article?

    Thanks,
    Lucas

    • PingFederate 6.4 has the SOAP Connection Management API so the provision.php script would work. The update-verification-certs.php script uses the REST APIs that are only present since PingFederate 7.x. You may have to restore a slightly older version of provision.php from Github as some things have changed wrt. certain adapter configurations. You can contact me if you need help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s