Basic SSO (password vaulting)

Basic SSO (password vaulting) uses the PingOne for Enterprise browser extension to relay credentials to the target cloud application. User credentials are encrypted (128 bit AES) with a user-specified privacy key and are stored in PingOne for Enterprise. The privacy key is stored in the local file system and is never sent to PingOne for Enterprise. PingOne for Enterprise uses stored encrypted credentials for single sign-on (SSO) to your cloud applications. The browser extension can access the encrypted credentials only after a user is authenticated to the identity repository.

To use Basic SSO, you must first enable it on the Setup → Dock → Configurations page. For more information, see Configuring the dock when using an identity bridge or Configure the dock when using PingOne for Enterprise Directory.

If you’re using Basic SSO applications, there might be circumstances where you want to remove a prior version of the browser extension. You can remove the browser extension using the browser’s standard extension or add-on removal process.

How Basic SSO works

What we log for every Basic SSO transaction

Whenever a Basic SSO user signs on with SSO to PingOne for Enterprise, we log the information in the following table. You can see the logging details displayed on your Reports page.

Parameter Description

Parameter	Description
`(date)`	The date and time of the SSO transaction.
`CDP SUBJECT`	The user ID we send to the service provider (SP).
`SUBJECT_FROM_IDP`	The user ID returned by the identity bridge.
`IP`	The user’s IP address for this SSO transaction.
`CONNECTION_ID`	A unique ID for the connection we establish between the identity bridge and the application.
`SAAS_ID`	The ID assigned to the user application.
`SP_ACCOUNT_ID`	The PingOne for Enterprise account ID for the SP.
`SP_ACCOUNT_NAME`	The name assigned to the SP account in PingOne for Enterprise.
`TARGET_RESOURCE`	The URL used for the SSO transaction.
`AGENT`	Information about the client or agent used for SSO.
`APP_NAME`	The name of the application used for SSO.
`IDP_ID`	The identity bridge ID used by the SP to identify the identity bridge.
`IDP_ACCOUNT_ID`	The unique account ID for the identity bridge in PingOne for Enterprise.
`IDP_ACCOUNT_NAME`	The name of the identity bridge in PingOne for Enterprise.
`FIRST_NAME_FROM_IDP`	The user’s first name as assigned by the identity provider (IdP).
`LAST_NAME_FROM_IDP`	The user’s last name as assigned by the IdP.
`EMAIL_FROM_IDP`	The user’s email address as assigned by the IdP.
`STATUS`	The status of the SSO transaction.
`ERROR_CODE`	Contains the error information if an error occurs.

(date)

The date and time of the SSO transaction.

CDP SUBJECT

The user ID we send to the service provider (SP).

SUBJECT_FROM_IDP

The user ID returned by the identity bridge.

IP

The user’s IP address for this SSO transaction.

CONNECTION_ID

A unique ID for the connection we establish between the identity bridge and the application.

SAAS_ID

The ID assigned to the user application.

SP_ACCOUNT_ID

The PingOne for Enterprise account ID for the SP.

SP_ACCOUNT_NAME

The name assigned to the SP account in PingOne for Enterprise.

TARGET_RESOURCE

The URL used for the SSO transaction.

AGENT

Information about the client or agent used for SSO.

APP_NAME

The name of the application used for SSO.

IDP_ID

The identity bridge ID used by the SP to identify the identity bridge.

IDP_ACCOUNT_ID

The unique account ID for the identity bridge in PingOne for Enterprise.

IDP_ACCOUNT_NAME

The name of the identity bridge in PingOne for Enterprise.

FIRST_NAME_FROM_IDP

The user’s first name as assigned by the identity provider (IdP).

LAST_NAME_FROM_IDP

The user’s last name as assigned by the IdP.

EMAIL_FROM_IDP

The user’s email address as assigned by the IdP.

STATUS

The status of the SSO transaction.

ERROR_CODE

Contains the error information if an error occurs.