PingOne

Adding an identity provider - SAML

You can use the generic SAML configuration to add an external identity provider (IdP) that follows the SAML standard.

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and click .

  2. Click SAML.

  3. Click Next.

  4. On the Add External Identity Provider page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    • Population: A population that overrides the authentication policy’s registration population and enables just-in-time registration from the IdP.

    • Icon (optional): An image to represent the IdP. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.

    • Sign-on button (optional): An image to be used for the login button that the end user will see. Use a 300 x 42 pixel image.

  5. Click Next.

  6. On the Configure PingOne Connection page, enter the following:

    • PingOne (SP) entity ID: The entity ID for the service provider (SP), which is used as the Issuer when PingOne sends a request to the external IdP. The IdP can also use this value to ensure that requests from the SP are valid. By default, this ID is based on the value you entered for Name.

    • Signing certificate: The certificate that confirms that requests, responses, and assertions actually came from the SP. Select the appropriate certificate from the list of available RSA or EC certificates. Learn more about adding a certificate in Adding a certificate and key pair.

    • Signing algorithm: Select the algorithm to be used for signing metadata. If you selected an RSA signing certificate, the options are RSA_SHA256, RSA_SHA384, and RSA_SHA512. If you selected an EC signing certificate, the options are SHA256_ECDSA, SHA384_ECDSA, or SHA512_ECDSA.

    • Sign AuthN request: Specifies whether the SAML authentication request will be signed when sending it to the IdP. If the external IdP is included in an authentication policy that will be used by applications that are accessed by a combination of default URLs and custom domains URLs, select this option.

  7. Click Next.

  8. On the Configure IDP Connection page, specify the details of the connection between the IdP and PingOne.

    You can enter the values manually or import them from a file.

    Choose from:

    • Import metadata from an XML metadata file: Click Choose and then select an XML metadata file on your file system. Click Open.

      If the metadata file does not specify all the configuration values, you must enter the missing values manually.

    • Import metadata from an IdP metadata URL: Enter the URL and then click Import.

      The URL must be a valid absolute URL.

    • Manually enter the following metadata information:

    • ACS endpoint: Shows the Assertion Consumer Service (ACS) URL. The ACS endpoint is where the single sign-on (SSO) tokens are sent. Copy this value and enter it into the IdP configuration.

    • SSO endpoint: Specifies the SSO endpoint for the authentication request. Only authentication requests can be sent to the SSO endpoint.

    • IDP entity ID: Specifies the IdP’s entity ID.

    • SSO binding: Specifies the binding to use for the authentication request. Select HTTP Post or HTTP Redirect.

    • SLO endpoint: The URL of the single logout (SLO) service. PingOne redirects the browser to this location when it needs to send an SLO message to the service provider. Learn more in SAML 2.0 single logout.

    • Verification certificate: A certificate that confirms that the SAML assertions actually came from the sender. Click Import or select the appropriate certificate. The list shows the available certificates. Click Add to add more certificates. Learn more in Adding a certificate and key pair.

    • SLO response endpoint: The URL of the SLO. You can use this option if you have a separate service for SLO responses. If this value is blank, PingOne sends responses to the SLO endpoint.

    • SLO window (in hours): Specify how long PingOne can exchange logout messages with the IdP, specifically a LogoutRequest from the IdP, since the initial request. PingOne can also send a LogoutRequest to the IdP when SLO is initiated by the user from other session participants, such as an application or another IdP. This setting is per IdP. The SLO logout is separate from the user session logout that revokes all tokens. The minimum value is 1 hour, and the maximum is 24 hours. You should start with a value of 2 hours and then fine tune as needed.

    • SLO binding: The SAML binding used by the application. The default is HTTP POST. Select HTTP Redirect as needed.

  9. Click Next.

  10. Define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add.

    • To use the advanced expression builder, click the Gear icon. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  11. Click Save.

Next steps