Configure SSO to the admin portal
Grant administrative users single sign-on (SSO) access to the PingOne SSO for SaaS Apps admin portal.
About this task
To permit service-provider (SP)-initiated SSO to the admin portal, you must configure the connection between the portal and your identity provider (IdP).
Steps
-
In the admin portal, go to Setup → Admin Portal SSO → IdP Configuration.
-
Optional: Import the IdP metadata.
Choose from:
-
To upload the metadata file, click Select File.
-
To enter the metadata URL, click Or use URL.
-
-
In the Entity ID field, enter the entity ID provided by the IdP.
-
In the SSO Endpoint field, enter the endpoint at the IdP to which PingOne sends AuthnRequests.
-
On the Verification Certificate line, click Select File to browse and upload the IdP’s public signing certificate that PingOne will use to sign SAML assertions.
-
In the Single Logout Endpoint field, enter the IdP endpoint to which PingOne will send single logout (SLO) requests.
-
In the Single Logout Response Endpoint field, enter the IdP endpoint to which PingOne will send SLO responses.
-
On the Single Logout Binding Type line, click either the Redirect or Post button to determine which binding type PingOne will use to send SLO requests.
-
Select the Sign the AuthnRequest box to make PingOne sign AuthnRequests to the IdP.
-
To download the PingOne signing certificate for upload to your IdP, click Download.
-
From the Signing Algorithm list, select the algorithm PingOne will use to sign AuthnRequests to the IdP.
-
To download the PingOne metadata for upload to your IdP, click Download PingOne Metadata.
-
Click Save Settings.
-
Go to Setup → Admin Portal SSO → Group Permissions.
-
For each admin group you want to authorize to SSO, click Add Group.
If you’re using LDAP groups, this needs to be the full distinguished name (FDN) for the administrator group (
CN=admins,OU=example,…
).You can assign groups to a read-only administrative role, which grants the administrator access to the areas of the admin portal normally allowed by that role, but not the ability to change settings. -
Click Save.
Result
Your administrative users can sign on from the Initiate Single Sign-On (SSO) URL displayed at Setup → Admin Portal SSO → IdP Configuration after you complete the form.
Next steps
If you also intend to initiate SSO from your IdP, you must configure your IdP to append one of the following parameters to PingOne’s ACS URL:
-
RelayState=https://pingone.com/1.0/8bfe0aeb-79ca-4fd4-a116-c3f7c7dbe6ca
-
saasid=8bfe0aeb-79ca-4fd4-a116-c3f7c7dbe6ca