Adding an identity provider - SAML
You can use the generic SAML configuration to add an external identity provider (IdP) that follows the SAML standard.
Steps
-
Go to Integrations → External IdPs.
-
Click Add Provider.
-
Click SAML.
-
On the Create Profile page, enter the following:
-
Name: A unique identifier for the identity provider.
-
Description: (Optional). A brief characterization of the identity provider.
-
Icon: (Optional). An image to represent the identity provider. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.
-
Login button: (Optional). An image to be used for the login button that the end user will see. Use a 300 X 42 pixel image.
-
-
Click Continue.
-
On the Configure PingOne Connection page, enter the following:
-
PingOne (SP) entity ID: The entity ID for the Service Provider, which is used as the
Issuer
when PingOne sends a request to the external identity provider. The identity provider can also use this value to ensure that requests from the service provider (SP) are valid. By default, this ID is based on the value you entered for Name. -
Signing certificate: The certificate that confirms that requests, responses, and assertions actually came from the service provider. Select the appropriate certificate from the list of available RSA or EC certificates. To add a certificate, see Adding a certificate and key pair.
-
Signing algorithm: Select the algorithm to be used for signing metadata. If you selected an RSA signing certificate, the options are RSA_SHA256, RSA_SHA384, and RSA_SHA512. If you selected an EC signing certificate, the options are SHA256_ECDSA, SHA384_ECDSA, or SHA512_ECDSA.
-
Sign AuthN request: Specifies whether the SAML authentication request will be signed when sending it to the identity provider. If the external identity provider is included in an authentication policy that will be used by applications that are accessed by a combination of default URLs and custom domains URLs, you should select this option.
-
-
Click Continue.
-
On the Configure IDP Connection page, specify the details of the connection between the identity provider and PingOne.
You can enter the values manually or import them from a file.
Choose from:
-
Import metadata from an XML metadata file: Click Choose and then select an XML metadata file on your file system. Click Open.
If the metadata file does not specify all the configuration values, you must enter the missing values manually.
-
Import metadata from an IdP metadata URL: Enter the URL and then click Import.
The URL must be a valid absolute URL.
-
Manually enter the following metadata information:
-
ACS endpoint: Shows the Assertion Consumer Service URL. The ACS endpoint is where the single sign-on (SSO) tokens are sent. Copy this value and enter it into the identify provider configuration.
-
SSO endpoint: Specifies the SSO endpoint for the authentication request. Only authentication requests can be sent to the SSO endpoint.
-
IDP entity ID: Specifies the identity provider’s entity ID.
-
SSO binding: Specifies the binding to use for the authentication request. Select HTTP Post or HTTP Redirect.
-
SLO endpoint: The URL of the single logout service. PingOne redirects the browser to this location when it needs to send an SLO message to the service provider. For more information, see SAML 2.0 single logout.
-
SLO response endpoint: The URL of the single logout response service. You can use this option if you have a separate service for single logout responses. If this value is blank, PingOne sends responses to the SLO endpoint.
-
SLO binding: The SAML binding used by the application. The default is
HTTP POST
. SelectHTTP Redirect
as needed. -
SLO window (in hours): Specify how long PingOne can exchange logout messages with the identity provider, specifically a
LogoutRequest
from the identity provider, since the initial request. PingOne can also send aLogoutRequest
to the identity provider when a single logout is initiated by the user from other session participants, such as an application or another identity provider. This setting is per identity provider. The SLO logout is separate from the user session logout that revokes all tokens. The minimum value is 1 hour, and the maximum is 24 hours. We recommend starting with a value of two hours and then fine-tuning as needed.
-
-
Click Save and Continue.
-
On the Map Attributes page, define how the PingOne user attributes are mapped to identity provider attributes. For more information, see Mapping attributes.
-
Enter the PingOne user profile attribute and the external IdP attribute. For more information about attribute syntax, see Identity provider attributes.
-
To add an attribute, click Add attribute.
-
To use the expression builder, click Build and test or Advanced Expression. See Using the expression builder.
-
Select the update condition, which determines how PingOne updates its user directory with the values from the identity provider. The options are:
-
Empty only: Update the PingOne attribute only if the existing attribute is empty.
-
Always: Always update the PingOne directory attribute.
-
-
-
Click Save and Finish.
Next steps
-
Enable the external identity provider. See Enabling or disabling an identity provider.
-
Add the identity provider to your authentication policy. See Editing an authentication policy.