Incoming SAML 2.0 Single Sign-On With Ping Identity

Follow

Introduction

The main purpose of establishing a Single Sign-On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Ping Identity. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Ping Identity account will act as the Identity Provider (IdP). 

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Ping Identity is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Ping Identity instance. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Ping Identity. 

 

Table of Contents

 

Instructions: Ping Identity Setup 

Note that these instructions cover PingOne, Ping Identity's cloud identity-as-a-service (IDaaS) solution.

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab".

Step Action Image 
1. Select the Applications tab. PING_SSO_01.png
2.  Select Add Application > New SAML Application.  PING_SSO_02.png
3.  ill in the application name, description, category, and optionally, add an icon, then click Continue to Next Step.  PING_SSO_03.png
4. Download the SAML metadata from Ping One using the Download link provided. Save it for use in a later step.  PING_SSO_04.png
5. Fill in the Assertion Consumer Service (ACS) URL with your Absorb ACS URL (generally speaking, this URL follows the format of https://company.myabsorb.com/api/rest/v2/authentication/saml  PING_SSO_05.png
6.  Fill in the Entity ID with the Absorb URL you wish to use for SSO (e.g. https://company.myabsorb.com or your custom domain name)  PING_SSO_06.png
7.  Click Continue to Next Step.  
8.  Click Add new Attribute
  • Application Attribute: subject
  • Identity Bridge Attribute or Literal Value: The user profile field that Absorb should match (e.g. Email). This is what Absorb will check to determine if a user exists in the LMS.
  • As Literal: Unchecked
  • Required: Checked
 PING_SSO_07-1.png
9.  You can map other attributes for account provisioning (also known as just-in-time provisioning), however this is outside the scope of this guide. Click Continue to Next Step.
 
An example provisioning setup is shown here, however for full details, see our SSO Account Provisioning article at https://support.absorblms.com/hc/en-us/articles/360014083294-Incoming-SAML-2-0-SSO-Account-Provisioning
 PING_SSO_07-2.png
  (If applicable) Click Add for the user groups in your Ping One directory who should have access to Absorb via SSO, then click Continue to Next Step.  PING_SSO_08.png
10. Make note of the Initiate Single Sign-On (SSO) URL. You will need this in a later step. PING_SSO_09.png
11. Download the Signing Certificate. You will need this in a later step. PING_SSO_10.png
12. Click Finish.  

 

Instructions: Absorb LMS Setup 

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab".

Step Action Image 
1. Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature. PING_SSO_ABSORB_01.png
2. Click Add at the bottom of the page.  
3. Name the connection something descriptive. This name is only visible to admins.  
4. Leave the Method as SAML  
5. The Key field should contain the contents of the Signing Certificate you downloaded above with the following modifications: * Open the file in a text editor (e.g. notepad)
  • Remove the "---BEGIN CERTIFICATE---" line
  • Remove the "---END CERTIFICATE---" line
  • Remove all line breaks (you should be left with a single line of encoded text).
  • Copy this information into the Key field in Absorb.
 
6. Set the Id Property to the user profile field in Absorb that your Ping One subject should match (e.g. if you used "Email" in Ping One, you should set this to "Email Address").  
7. The Signature Type will be Sha1  
8. Set the Login URL to the Initiate Single Sign-On (SSO) URL you saved above.  
9. Set Automatically Redirect as desired.
  • If enabled, unauthenticated users will be redirected to the Ping One login screen as soon as they land on your Absorb URL.
  • If disabled, unauthenticated users will see your public dashboard.
 
10. Assign which routes in your portal you would like to associate with this SSO configuration.  
11. Save your configuration. PING_SSO_ABSORB_02.png

 

Published on
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.