Skip to content
Access
Visit Access on GitHub
Set theme to dark (⇧+D)

PingIdentity® SAML

The PingOne® and PingFederate® offerings from PingIdentity require the SAML integrator for integration with Cloudflare Access. The PingFederate and PingOne documentation explains how to configure applications. These steps focus on the requirements specific to Cloudflare Access.

Set up PingIdentity as your IdP

To set up PingIdentity as your IdP:

  1. Log in to your dashboard Ping and navigate to Applications.

  2. Click Add Application.

  3. Select New SAML Application.

  4. Complete the fields for name, description, and category.

    These can be any value. A prompt displays to select a signing certificate to use.

  5. In the SAML attribute configuration dialog select Email attribute > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  6. In the Signature Policy tab, disable the option to Always Sign Assertion.

  7. Leave the option enabled for Sign Response As Required.

    This ensures that SAML destination headers are sent during the integration.

    In versions 9.0 above, you can leave both of these options enabled.

  8. A prompt displays to download the SAML metadata from Ping.

    This file shares several fields with Cloudflare Access so you don’t have to input this data.

  9. Navigate to Cloudflare Access, scroll to Login Methods, click Add and select the SAML icon.

  10. Upload the metadata file in the Add a SAML identity provider.

  11. Enter the following URL in the IdP Entity ID field.

    Replace “your-domain” with the authentication domain listed in Cloudflare Access, and include the callback in the path:

    https://your-domain.cloudflareaccess.com/cdn-cgi/access/callback
  12. Confirm that the fields set by the metadata file are accurate.

  13. Click Save and then Test.

    On successful connection to your PingIdentity deployment, a confirmation displays.

    Successful connection

Download SP metadata (optional)

Some IdPs allow administrators to upload metadata files from their SP (service provider).

To get your Cloudflare metadata file:

  1. Download your unique SAML metadata file at the following URL:

    https://auth-domain.cloudflareaccess.com/cdn-cgi/access/saml-metadata
  2. Replace authentication domain with your account’s Login Page Domain found in the Access tab in Cloudflare Access.

    The link returns a web page with your SAML SP data in XML format.

  3. Save the file as an XML document.

  4. Upload the XML document to your PingIdentity account.

Example API Configuration

{    "config": {        "issuer_url": "https://example.cloudflareaccess.com/cdn-cgi/access/callback",        "sso_target_url": "https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=aebe6668-32fe-4a87-8c2b-avcd3599a123",        "attributes": ["PingOne.AuthenticatingAuthority", "PingOne.idpid"],        "email_attribute_name": "",        "sign_request": false,        "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o"        },    "type": "saml",    "name": "ping saml example"}