1. Home
  2. SureMDM
  3. How to Enroll Devices To SureMDM Using PingFederate?

How to Enroll Devices To SureMDM Using PingFederate?

KB ID: 42G2208186
Views: 103
Updated: September 2022

SureMDM now offers users to enroll devices using the PingFederate.

PingFederate is an enterprise federation server that enables user authentication and single sign-on. It serves as a global authentication authority that allows employees, customers, and partners to securely access all the applications they need from any device.

In order to enable PingFederate in SureMDM, follow the below-mentioned steps.

PingFederate User Configuration

Create a new SP adapter instance by logging in to the PingFederate administrative console.

  1. For PingFederate 10.1 or later: Go to Applications → Integration → SP Adapters. Click Create New Instance.
  2. For PingFederate 10.0 or earlier: Go to Service Provider → Adapters. Click Create New Instance.
Note: In the configurations, the values need not be explicitly specified. However, the default values can be accepted.
TYPE Configuration
The TYPE should be set as Open Token SP Adapter as shown in the image below

INSTANCE Configuration
Select the below-mentioned options from the Instance configuration tab as shown in the image below.
 
Transport Mode: Form POST
Cipher Suite: AES-128/CBC


Extended Contract
This adaptor supports the creation of extended adaptor contracts such as Email Address, Name. User ID etc.

In the Core Contract mention it as “Subject” and under the Extended Contract specify Email Address, Name, and UserID as shown in the image below.

Create an IdP Connection which makes use of the SP Adapter created previously. This linking can be done from the Target Session Mapping -> Adapter Instance Name entry of the IdP Connection.
The Sign-On Service URL configuration in SureMDM will make use of this IdP Connection.

SureMDM console configuration

  1. Login to the SureMDMConsole
  2. Navigate to the Settings and further to Account Settings
  3. Select the Device Enrollment Rules
  4. Select Opentoken authentication for Device Authentication Type
  5. For Sign-On Service URL, provide the URL in the below format
    https://pingfs.demo.42gears.com:9031/sp/startSSO.ping?PartnerIdpId=https://fs.demo.42gears.com/adfs/services/trust

    pingfs.demo.42gears.com:9031 should be replaced by the URL of the PingFederate server

    https://fs.demo.42gears.com/adfs/services/trust should be replaced by the ID of the IdP to which PingFederate delegates authentication.

    Note: SureMDM will automatically append the endpoint to which the SAML assertion should be posted in this URL. It will be appended using the “TargetResource” parameter.

  6. The Logout Service URL is not used as of now. But since it is a compulsory field, the admin can enter anything there, for example, XYZ
  7. For Agent Configuration, the admin can copy-paste the content of the SP Adapter agent configuration file from the PingFederate server.
    For Example :

    use-verbose-error-messages=false http-only=true cookie-path=/ token-renewuntil=43200 token-notbefore-tolerance=0 password=T5pgQt39sSp5g3yclV1eIw== token-name=opentoken use-cookie=false cipher-suite=2 use-sunjce=false token-lifetime=300 obfuscate-password=true track-authntime=true

For more details on our products, click here

Related Articles