PingOne for Enterprise

Configuring the dock when using an identity bridge

For most identity repositories, you can configure the following dock options.

About this task

  • Configure the format of the URL used to access the dock.

  • Give your users the option to add personal apps to the dock.

If you’re using PingOne for Enterprise Directory, the configuration options differ slightly. See Configure the dock when using PingOne for Enterprise Directory.

If you’re currently using the legacy PingOne for Enterprise dock, you can configure and customize the new dock and then preview your changes using the displayed Upgraded Ping Dock URL before upgrading to the new dock. Your users can continue to work in the legacy dock until you upgrade.

Steps

  1. Go to Setup → Dock → Configuration.

  2. Edit one or more of the following settings.

    Option Description

    Company ID

    The unique identifier for your company.

    This string becomes part of your dock URL.

    Identity Bridge Logout URL

    The location to which you will send users then they sign out of PingOne for Enterprise.

    Specify this URL if you don’t want to use the default SAML single logout (SLO) protocol.

    Maximum Session Lifetime

    In theMaximum Session Lifetime list, select the maximum duration of a user session before the user is automatically signed out.

    The minimum duration is 15 minutes. The default is 2 hours. The maximum is 12 hours.

    SLO Flow

    If you click Redirect, PingOne for Enterprise responds to SLO requests by visiting each application’s SLO endpoint and then returning to the sign-on page.

    If you click Single page, PingOne for Enterprise responds to SLO requests by sending requests from its own page using an iframe.

    Single page SLO flow requires third-party cookies to be enabled in the user’s browser, and session cookies in Chrome must use SameSite=None. Redirect flow works regardless of cookie settings.

    Redirect flow halts if an application fails to return control to PingOne for Enterprise. Single page flow continues even if errors occur at the application.

    OpenID Connect (OIDC) applications always follow single page flow even if Redirect is enabled. To support SLO for OIDC applications, user browsers must allow third party cookies, and Chrome cookies must use SameSite=None.

    Session Idle Timeout

    In the Session Idle Timeout list, select the maximum duration of a user’s idle time before the user is automatically signed out.

    The maximum duration is 12 hours. The idle timeout duration cannot exceed the maximum session lifetime.

    Enable Basic SSO

    Enable this option if you want to use basic single sign-on (SSO), a password vaulting capability for PingOne for Enterprise.

    See Basic SSO (password vaulting) for more information.

    Add Basic SSO Applications

    Select this to enable users to add basic SSO applications to their dock.

    Applications that users install appear on the dock in the personal category.

    User Support Message

    Enter text that shows when a user clicks the Need Help? link in the PingOne for Enterprise dock.

    Upgrade Dock

    If you are currently using the legacy dock, you can preview your changes in the dock preview until you upgrade.

    To upgrade to the new dock, click Upgrade Dock. When upgraded, this option and the dock preview are no longer available.

  3. In the Attribute Mapping section, map the identity bridge attributes to the supported dock attributes.

    Generally, the default attribute mapping is sufficient. However, you can change the mapping as needed for the following attributes.

    Option Description

    SAML_Subject

    Maps to the attribute representing the unique identifier, username, or user subject in the identity repository.

    memberOf

    Maps to the attribute that represents the group membership information for users in the identity repository.

    This is a special attribute representing the group membership information for users using SSO through the PingOne for Enterprise dock. Group membership information is applied on the User Groups page to authorize user access to software as a service (SaaS) applications.

    fname

    Maps to the attribute representing the first name of users in the identity repository.

    lname

    Maps to the attribute representing the last name of the users in the identity repository.

    email

    Maps to the attribute representing the email address for users in the identity repository.

    phoneNumber

    Maps to the attribute representing the phone number for users in the identity repository.

    secondaryEmail

    Maps to the attribute representing the user’s secondary email in the identity repository.

    voiceNumber

    Optional attribute allowing you to specify a second number specifically for PingID voice one-time passcodes (OTPs).

    For more information, see SMS and voice authorization.

    1. Optional: For each attribute, click Advanced to customize the selected attribute.

      Customizing is useful if the attribute used by your identity bridge doesn’t match the corresponding attribute used by an application. Advanced attribute mapping lets you:

      • Apply a transformation function to alter the identity bridge attribute to match the application attribute.

      • Assign multiple identity bridge attributes to a single application attribute.

    See Creating advanced attribute mappings for more information.

  4. Click Save.

Next steps

To view the changes, refresh the dock page.