Incoming SAML 2.0 Single Sign-On With Ping Identity

Follow

Applies to: Pro, Plus, & Enterprise Plans

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses Incoming SAML 2.0 SSO for clients using Ping Identity and presents a somewhat abridged and focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Ping Identity instance will act as the Identity Provider (IdP). 

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Ping Identity is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your particular Ping Identity instance. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ Ping Identity. 

Contents:

Ping Identity Setup

Note that these instructions cover PingOne, Ping Identity's cloud identity-as-a-service (IDaaS) solution. This can also be used as a rough guide for setting up Ping Identity's installed solutions - click here for more related documentation on that.

  1. Select the 'Applications' tab.
    ApplicationsTab.PNG
  2. Select 'Add Application' -> 'New SAML Application'.
    AddSAMLApplicationDropdown.PNG
  3. Fill in the application name, description, and category.
    NameDescCategory.PNG
  4. Click 'Continue to Next Step'.
    ContinueToNextStep.PNG
  5. Download the SAML metadata using the link provided. Open the downloaded xml file with your text editor of choice. You will need to find and save the 'entityID' and save the value between the quotes. e.g. entityID="https://pingone.com/idp/company".
    You will also need to find the X509 Certificate value and save it for setup in Absorb. This can be found under the <md:KeyDescriptor use="signing"> tag.
    SamlMetadataDownload.PNG
  6. In the "Assertion Consumer Service (ACS)" field, enter the ACS url from Absorb’s metadata. e.g. https://company.myabsorb.com/account/saml replacing with company.myabsorb.com with your Portal URL.
    AssertionConsumerServiceURL.PNG
  7. In the 'Entity ID' field, fill in the route that the SSO is configured to in Absorb. This is the Issuer in the SAML request sent by Absorb and is needed when using Service Provider Initiated mode. 
    EntityID.PNG
  8. Click 'Continue to Next Step'.
    ContinueToNextStep.PNG
  9. Click 'Add new attribute' and fill in the 'Application Attribute' (see here for more attributes that can be used) and the matching 'Identity Bridge Attribute or Literal Value'.
    AddAttribute.PNG
  10. Click 'Save & Exit' or 'Save & Publish'.
    CancelBackSave.PNG
  11. You will be taken to the 'My Applications' screen automatically. Select your new application by clicking on it.
    SelectApplication.PNG
  12. Find and save the 'Initiate Single Sign-On (SSO) URL' value. You will need this for setup in Absorb.

Absorb Setup

Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.

Capture2.PNG

Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one. 

Click Add and fill in the fields as shown below.

  • The 'Name' representing the SSO Integration.
  • The 'Mode' can be Identity Provider Initiated or Service Provider initiated. SP initiated is sometimes preferred since deep links are a little easier to formulate.
  • The ‘Key’ field should contain the full x509 certificate (in text format).
  • The ‘Id Property‘ should match whatever value was chosen in Ping Identity - usually this is Email or Username.
  • The ‘Login URL’ should be the Login URL you copied in step 12 when using Identity Provider Initiated mode. If using Service Provider Initiated mode the link will be: https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<idpid>
    Note: The value of <idpid> can be found in your PingOne application "Review Setup" page.
    IdpId.PNG
  • The 'Logout URL' can be whatever you like – this is the URL users will be directed to after logged out of Absorb. If you wish, you can use the following URL in the format: https://sso.connect.pingidentity.com/sso/initslo/?page=https://company.myabsorb.com
    See here for related PingIdentity documentation.
  • Set Automatically Redirect as desired.
  • The 'Assigned Routes' that this SSO Integration pertains to.

AbsorbSetup.PNG

 

References
https://ping.force.com/Support/VideoId/4892615270001

https://docs.pingidentity.com/bundle/p1_slo_cas/page/p1_p1AndSlo.html

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.