Configuring the dock when using an identity bridge
For most identity repositories, you can configure the following dock options.
About this task
-
Configure the format of the URL used to access the dock.
-
Give your users the option to add personal apps to the dock.
If you’re using PingOne for Enterprise Directory, the configuration options differ slightly. See Configure the dock when using PingOne for Enterprise Directory. |
If you’re currently using the legacy PingOne for Enterprise dock, you can configure and customize the new dock and then preview your changes using the displayed Upgraded Ping Dock URL before upgrading to the new dock. Your users can continue to work in the legacy dock until you upgrade.
Steps
-
Go to Setup → Dock → Configuration.
-
Edit one or more of the following settings.
Option Description Company ID
The unique identifier for your company.
This string becomes part of your dock URL.
Identity Bridge Logout URL
The location to which you will send users then they sign out of PingOne for Enterprise.
Specify this URL if you don’t want to use the default SAML single logout (SLO) protocol.
Maximum Session Lifetime
In theMaximum Session Lifetime list, select the maximum duration of a user session before the user is automatically signed out.
The minimum duration is 15 minutes. The default is 2 hours. The maximum is 12 hours.
SLO Flow
If you click Redirect, PingOne for Enterprise responds to SLO requests by visiting each application’s SLO endpoint and then returning to the sign-on page.
If you click Single page, PingOne for Enterprise responds to SLO requests by sending requests from its own page using an iframe.
Single page SLO flow requires third-party cookies to be enabled in the user’s browser, and session cookies in Chrome must use
SameSite=None
. Redirect flow works regardless of cookie settings.Redirect flow halts if an application fails to return control to PingOne for Enterprise. Single page flow continues even if errors occur at the application.
OpenID Connect (OIDC) applications always follow single page flow even if Redirect is enabled. To support SLO for OIDC applications, user browsers must allow third party cookies, and Chrome cookies must use
SameSite=None
.Session Idle Timeout
In the Session Idle Timeout list, select the maximum duration of a user’s idle time before the user is automatically signed out.
The maximum duration is 12 hours. The idle timeout duration cannot exceed the maximum session lifetime.
Enable Basic SSO
Enable this option if you want to use basic single sign-on (SSO), a password vaulting capability for PingOne for Enterprise.
See Basic SSO (password vaulting) for more information.
Add Basic SSO Applications
Select this to enable users to add basic SSO applications to their dock.
Applications that users install appear on the dock in the personal category.
User Support Message
Enter text that shows when a user clicks the Need Help? link in the PingOne for Enterprise dock.
Upgrade Dock
If you are currently using the legacy dock, you can preview your changes in the dock preview until you upgrade.
To upgrade to the new dock, click Upgrade Dock. When upgraded, this option and the dock preview are no longer available.
-
In the Attribute Mapping section, map the identity bridge attributes to the supported dock attributes.
Generally, the default attribute mapping is sufficient. However, you can change the mapping as needed for the following attributes.
Option Description SAML_Subject
Maps to the attribute representing the unique identifier, username, or user subject in the identity repository.
memberOf
Maps to the attribute that represents the group membership information for users in the identity repository.
This is a special attribute representing the group membership information for users using SSO through the PingOne for Enterprise dock. Group membership information is applied on the User Groups page to authorize user access to software as a service (SaaS) applications.
fname
Maps to the attribute representing the first name of users in the identity repository.
lname
Maps to the attribute representing the last name of the users in the identity repository.
email
Maps to the attribute representing the email address for users in the identity repository.
phoneNumber
Maps to the attribute representing the phone number for users in the identity repository.
secondaryEmail
Maps to the attribute representing the user’s secondary email in the identity repository.
voiceNumber
Optional attribute allowing you to specify a second number specifically for PingID voice one-time passcodes (OTPs).
For more information, see SMS and voice authorization.
-
Optional: For each attribute, click Advanced to customize the selected attribute.
Customizing is useful if the attribute used by your identity bridge doesn’t match the corresponding attribute used by an application. Advanced attribute mapping lets you:
-
Apply a transformation function to alter the identity bridge attribute to match the application attribute.
-
Assign multiple identity bridge attributes to a single application attribute.
-
See Creating advanced attribute mappings for more information.
-
-
Click Save.
Next steps
To view the changes, refresh the dock page.