SSO Setup: PingOne
Overview
This article describes how to configure PingOne as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your PingOne environment and your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their PingOne credentials.
To follow this process, you must be able to add applications to your PingOne environment and be a workplace administrator in your digital workplace.
Go to one of the following sections in this article:
- Configuring PingOne single sign-on
- Configuring your digital workplace's single sign-on
- Verifying that single sign-on is set up correctly
- Troubleshooting issues
- Additional resources
Configuring PingOne single sign-on
Follow these steps to configure a SAML app in your PingOne environment. This application will pass the attributes: Email Address, Given Name, and Family Name.
- Go to your PingIndentity portal and select the environment where you want the SAML app to be.
- On the main navigation, select Connections followed by Applications.
- Select
Add new application.
- Configure the application as follows:
- Application Name: Enter a unique name for this application.
- Description: Enter a description of what this app is being used for.
- Icon: Upload an icon to associate with this application
- Choose Application Type: Select SAML Application.
- Select Configure.
- When prompted to Provide Application Metadata, select Manually Enter.
- For the ACS URL and Entity ID, enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest).
- Select Save.
- In the application, select Attribute Mappings.
- Select
Edit and create the following mappings:
- A mapping for the NameID:
- Application Attribute:
saml_subject - PingOne:
Email Address
- Application Attribute:
- A mapping for First Name:
- Application Attribute:
FName - PingOne:
Given Name
- Application Attribute:
- A mapping for Last Name:
- Application Attribute:
LName - PingOne:
Family Name
- Application Attribute:
- A mapping for the NameID:
- Select Save.
- In the application, select Access.
- Select
- Select Save.
- In the application, select Configuration.
- Select Download Signing Certificate followed by X509 PEM (.crt). A similar download option can be found by selecting the application's Overview followed by Protocol. You will need this when configuring single sign-on in your digital workplace.
- Copy the Single Signon Service URL to a safe location; you will need it when configuring single sign-on in your digital workplace.
- At the top of the application, select the toggle to enable access to the application.
Configuring your digital workplace's single sign-on
- Go to your digital workplace and sign in.
- Select
Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
- Configure these General Configuration options as follows:
- Connection Name: Enter a name for this connection.
- IdP Login URL: Copy and paste the Single Signon Service URL from the PingOne set-up instructions into this field.
- IdP Logout URL: Leave this field blank; single logout (SLO) with PingOne is not supported.
- Logout Response and Request HTTP Type: Ignore this option; single logout (SLO) with PingOne is not supported.
- (Optional) Logout Final Redirect URL: Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage.
- Binding Type: Select POST.
- Public Certificate: Copy and paste the X509 PEM (.crt) from the PingOne set-up instructions into this field. You will need to open the certificate file using a text editor.
- Configure these Response and Authentication Configuration options as follows:
- Identity Provider: Select Other.
- Identifier Type: Select Email.
- Identifier Path: Enter
/samlp:Response/saml:Assertion/saml:Subject/saml:NameID. - Session Index Path: Enter
/samlp:Response/saml:Assertion/saml:AuthnStatement. - Email Attribute: Enter
Email. - First Name Attribute: Enter
FName. - Last Name Attribute: Enter
LName. - Drift Time: Enter
5.
- For User creation on Sign in, select how your digital workplace handles users who attempt to sign in when they have valid PingOne credentials but are not members of the workplace. If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.
- For Sign in Settings, select how users sign in to your workplace using PingOne single sign-on. For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.
- Select Save.
Verifying that single sign-on is set up correctly
Before testing, ensure the following:
- Your SAML application is enabled
- The user attempting to sign in has access to the application.
- The user attempting to sign in is a member of the digital workplace.
If all of the above are are true:
- Open a private browser window and go to your digital workplace.
- Depending on how you have configured SAML, you will either be redirected to your PingOne or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign-in box, select Use: {your connection's name} to go to PingOne.
- While on your PingOne sign-in page, enter the credentials of your test user.
If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.
Troubleshooting issues
Incorrect IdP Login URL
If you see an error message after being redirected to your PingOne, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you entered in this field matches the Single Signon Service URL on the application's Configuration page in your PingOne environment.
Public certificate issues
The following are issues that can occur with the public certificate:
- Invalid format: On your digital workplace's SAML Configuration page, if you click Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
- Expired or Mismatched: If, after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support," the public certificate in Igloo does not match what PingOne is expecting.
To resolve these issues, confirm that the value you entered in this field matches the X509 PEM (.crt) that you downloaded from the application in your PingOne environment.
Workplace membership
Not being a member of a digital workplace can result in the following:
- If you successfully sign in to PingOne but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
- If you successfully sign in to PingOne but get redirected to a page in your digital workplace that says "The user account was not found. Please contact an administrator", it's possible that you signed in with an account that is not or has even been a member the digital workplace.
In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.
Not assigned to the application
If, after entering your PingOne credentials, you are redirected to an Igloo page with the error "An error has occurred. Please try again and, if that fails, contact support.", the account may not have access to the application in your PingOne environment. Check which groups have access to the application and whether the user is a member of one of these groups.