Configuration Guides

Configuring SAML SSO with Asana and PingOne

Learn how to enable Asana sign-on from the PingOne console (IdP-initiated sign-on) and direct Asana sign-on using PingOne (SP-initiated sign-on).

Before you begin

  • Link PingOne to an identity repository containing the users requiring application access.

  • Populate Asana with at least one user to test access.

  • You must have administrative access to PingOne and a Super Admin account for an Enterprise Organization on Asana.

Steps

  1. Add the Asana application to PingOne:

    1. Sign on to PingOne and go to Connections → Applications.

    2. To add a new application, click the + icon next to the Applications heading.

      Screen capture of PingOne Applications section.
    3. When prompted to select an application type, select WEB APP, then click Configure next to SAML for the chosen connection type.

    4. Enter Asana as the application name.

    5. Enter a suitable description.

    6. Upload an icon if desired.

    7. Click Next.

    8. For Provide App Metadata, select Manually Enter.

    9. In the ACS URLS field, enter https://app/asana.com/-/saml/consume.

    10. Select the Signing Key to use and then click Download Signing Certificate to download the certificate as X509 PEM (.crt).

    11. In the Entity ID field, enter https://app.asana.com.

    12. Leave SLO Endpoint and SLO Response Endpoint blank. Asana does not support single logout (SLO).

    13. Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.

    14. Click Save and Continue.

    15. Because Asana expects an email address to identify a user in the SSO security assertion:

      Choose from:

      • If you use email address to sign on through PingOne, click Save and Close.

      • If you sign on with a username, select Email Address in the PingOne User Attribute list to map that to the SAML_SUBJECT, then click Save and Close.

    16. Enable user access to this new application by moving the toggle to the right.

    17. On the Configuration tab of the newly-created Asana application, copy and save the Issuer ID and Initiate Single Sign-On URL.

      You will need these when configuring SAML on Asana.

      Screen capture of PingOne SAML Connection Details section with Issuer ID and Initiate SSO URL highlighted in yellow.
  2. Add PingOne as an identity provider (IdP) to Asana:

    1. Sign on to Asana with a Super Admin account for your Enterprise Organization.

    2. Click your profile photo and select Admin Console in the menu.

    3. Go to the Security tab.

    4. Go to the SAML authentication tab.

    5. In SAML options, click Optional.

      This is the recommended value when testing. You can change it later to Required for all members, except guest accounts.

    6. Paste the Initiate Single Sign-On URL value that you saved earlier into the Sign-in page URL field.

    7. Open the .crt file that you downloaded in a text editor and copy and paste the entire contents into the X.509 certificate field.

    8. Click Save configuration.

  3. Test the PingOne IdP integration:

    1. Go to your PingOne Application Portal and sign on with a user account.

      You can find the PingOne Application Portal URL in the admin console at Dashboard → Environment Properties.

    2. Click the Asana icon.

      Result:

      You’re redirected to the Asana website and signed on with SSO.

  4. Test the PingOne service provider (SP) integration:

    1. Go to https://app.asana.com/, choose the option to sign on with SSO, and enter your email address only.

      Result:

      You’re redirected and presented with a PingOne sign on prompt.

    2. Enter your PingOne username and password.

      Screen capture of PingOne sign on page.

      Result:

      After successful authentication, you’re redirected back to Asana and signed on.