PingOne

External IdPs

With PingOne, you can use the PingOne user directory or an external identity provider (IdP).

Using an external IdP allows linked users to authenticate using the credentials provided by the external IdP. An external IdP includes mapping PingOne user attributes to attributes from the IdP.

You can also use an external IdP to secure the PingOne admin console. Learn more in Administrator security.

Approaches for external IdPs

There are several important differences in the way that IdPs can be used in PingOne authentication policies:

Login

Add an external IdP as part of a login step. At the sign-on prompt, the end user can enter a username and password or choose an external IdP to authenticate with, such as Google or Facebook. Learn more in Adding a login authentication step.

Identifier First

Add an identifier-first step to an authentication policy. The end user is prompted for an identifier, such as a username. The policy can then send the end user to a particular IdP based on rules evaluation of the identifier. Learn more in Identifier first authentication.

External Identity Provider

Add an external IdP step to an authentication policy. The end user is forwarded to an external IdP based on policy and without any interaction from the user. Learn more in Adding an external identity provider sign-on step.

Encryption

A SAML IdP can use one of your PingOne encryption certificates to encrypt SAML assertions for you.

If you want the IdP to use a specific encryption certificate, you can download it in the X509 PEM (.crt) format and send it to the IdP. Learn more in Downloading a certificate.

If you want the IdP to use the default encryption certificate, your metadata already contains it. Learn more in Downloading metadata for SAML IdPs.

When PingOne receives an encrypted assertion (a SAML response with an EncryptedAssertion element), it attempts to decrypt it with each encryption certificate in your environment starting with the default, followed by the rest of the encryption certificates.

When your encryption certificate nears expiration, you can add a new one and allow both the old and new certificate to be used. This allows all your IdPs to change to the new certificate at any time without downtime. When your default encryption certificate expires, you must change the default encryption certificate for your environment. Otherwise, the SAML metadata you provide to your IdPs contains the expired certificate and is not valid for most IdPs. You can change the default encryption certificate in the PingOne admin console. Learn more in Designating default keys.

PingOne supports the following standards:

  • Encrypted assertion

  • Multiple block encryption algorithms:

    • AES-128-CBC

    • AES-256-CBC

    • AES-128-GCM

    • AES-192-GCM

    • AES-256-GCM

    • Triple DES

  • RSA-OAEP key transport algorithm