PingOne

Adding an identity provider - SAML

You can use the generic SAML configuration to add an external identity provider (IdP) that follows the SAML standard.

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and click .

  2. Click SAML.

  3. Click Next.

  4. On the Create Profile page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    • Population: A population that overrides the authentication policy’s registration population and enables just-in-time registration from the IdP.

    • Sign-on Button (optional): An image used for the sign-on button that the end user sees. Use a 300 x 42 pixel image.

    • Icon (optional): An image that represents the IdP. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.

  5. Click Next.

  6. On the Configure PingOne Connection page, enter the following:

    • PingOne (SP) Entity ID: The entity ID for the service provider (SP), which is used as the Issuer when PingOne sends a request to the external IdP. The IdP can also use this value to ensure that requests from the SP are valid. By default, this ID is based on the value you entered for Name.

    • ACS Endpoint: Shows the Assertion Consumer Service (ACS) URL. The ACS endpoint is where the single sign-on (SSO) tokens are sent. Copy this value and enter it into the IdP configuration.

    • Signing Certificate: The certificate confirming that SAML authentication requests and single logout (SLO) messages came from PingOne as the SP. Select the appropriate certificate in the list of available RSA or EC certificates. Learn more about adding a certificate in Adding a certificate and key pair.

    • Signing Algorithm: Select the algorithm to use for signing metadata.

      If you selected an RSA signing certificate, the options are:

      • RSA_SHA256

      • RSA_SHA384

      • RSA_SHA512

      If you selected an EC signing certificate, the options are:

      • SHA256_ECDSA

      • SHA384_ECDSA

      • SHA512_ECDSA

    • Enable Signed Authentication Request: Specifies whether the SAML authentication request will be signed when sending it to the IdP. Select this option if the external IdP is included in an authentication policy used by applications that are accessed by a combination of default URLs and custom domains URLs.

  7. Click Next.

  8. On the Configure IDP Connection page, specify the details of the connection between the IdP and PingOne.

    You can enter values manually or import them from a file.

    Choose from:

    • Import Metadata: Click Select a file and then select an XML metadata file on your file system. Click Open.

      If the metadata file doesn’t specify all of the configuration values, you must enter the missing values manually.

    • Import from URL: Enter the Idp Metadata URL and then click Import.

      The URL must be a valid absolute URL.

    • Manually Enter:

      • SSO Endpoint: The SSO endpoint for the authentication request. Only authentication requests can be sent to the SSO endpoint.

      • IDP Entity ID: The IdP’s entity ID.

      • SSO Binding: The binding to use for the authentication request. Select HTTP Post or HTTP Redirect.

      • SLO Endpoint: The URL of the SLO service. PingOne redirects the browser to this location when it needs to send an SLO message to the SP. Learn more in SAML 2.0 single logout.

      • SLO Response Endpoint: The URL of the SLO. You can use this option if you have a separate service for SLO responses. If this value is blank, PingOne sends responses to the SLO endpoint.

      • SLO Binding: The SAML binding used by the application. The default is HTTP POST. Select HTTP Redirect as needed.

      • SLO Window (in hours): Specify how long PingOne can exchange logout messages with the IdP, specifically a LogoutRequest from the IdP, after the initial request. PingOne can also send a LogoutRequest to the IdP when SLO is initiated by the user from other session participants, such as an application or another IdP. This setting is per IdP. The SLO logout is separate from the user session logout that revokes all tokens. The minimum value is 1 hour, and the maximum is 24 hours. You should start with a value of 2 hours and then fine-tune as needed.

      • Verification Certificate: A certificate that confirms that the SAML assertions came from the external IdP. Select one of the following:

        • Import: Upload the appropriate certificate from your local files.

        • Add: Select a certificate in the list of available certificates. You can view certificates in Settings > Certificates and Key Pairs. Learn more in Adding a certificate and key pair.

  9. Click Next.

  10. Define how PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add.

    • To use the advanced expression builder, click the Gear icon. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with values from the IdP. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  11. Click Save.

  12. To enable the IdP, click the toggle at the top of the details panel to the right (blue).

    You can disable the IdP by clicking the toggle to the left (gray).

Next steps

Add the IdP to your authentication policy.