Forcing Ping Identity to Adopt WIF metadata from IDPs

ITs been  a pain making our otherwise excelleng Ping Federate servers (version a few years ago) talk to modern ws-fedp IDPs built using Microsoft developer-focussed WIF toolkits. There was always “SOMETHING” that didn’t work.

Well, now we understand how to make a passive STS from WIF emit (i) a Feb 2005-serialized response, (ii) include an authentication statement, and (ii) be signed with RSA/SHA1, we know from last weeks report that WIF IDP built in 10m with Visual Studio can now talk to Ping Gederates ws-fedp SP.

But, Ping Federate is a pain to set up, as it does support metadata import emitted by such IDPs!

So we decided to play the game back. Our IDP now dynamically emits a true role descriptor and now a second role description intended for consumption by Ping Federate (pretending to consume a SAML2 IDP in its excellent metadata-driven console.).

Remember, we are just issuing something that Ping Federate can import (so there are no typing errors). SO we take our ws-fedp descriptor and re-export it as a SAML2 IDP descriptor:


Then we use Ping Federate to import a SAML2 IDP, as normal. Then, once saved and ready, we change it be a ws-fedp connection simply by editing (when the server is offline) the sourceid.saml2-metadata file. We give it the desired protocol and binding values:


So we get around a vendor’s biases (implicit or intended) against WIF IDPs – with only minimal fuss.


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in pingfederate. Bookmark the permalink.