Use Cases

Federating PingOne and Salesforce

This configuration allows you to sign on to PingOne with a Salesforce account.

Before you begin

  • Configure a domain in Salesforce. When the domain is registered, Salesforce sends you an email.

  • Create at least one user in Salesforce.

Enabling the Salesforce identity provider

Steps

  1. Sign on to the Salesforce developer console.

  2. Go to Identity → Identity Provider and click Enable Identity Provider.

  3. Click Download Certificate.

  4. Click Download Metadata.

Creating an identity provider in PingOne

Steps

  1. Sign on to the PingOne admin console.

  2. Go to Connections → External IDPs and click Add Provider.

  3. Click SAML.

  4. On the Create IDP Profile tab, in the Name field, enter a name. Click Continue.

  5. On the Configure PingOne Connection tab, record the entity ID value from the PingOne (SP) Entity ID field, and then click Continue.

  6. On the Configure IDP Connection tab, select the Import Metadata button, and then click Choose.

  7. Select the metadata file.

  8. In the SSO Binding section, select the HTTP POST button.

  9. In the Verification Certificate section, click Choose and import the verification certificate.

  10. Click Save and Continue.

  11. On the Map Attributes tab, map any additional attributes of your choice. Click Save & Finish.

    Consider adding an email address mapping.

  12. Return to the Identity Providers list, and click the toggle to enable your IdP.

  13. Click the Pencil () icon on your IdP, and then go to the IDP Configuration tab.

  14. Record the value of the ACS Endpoint field.

Creating a connected app in Saleforce

Steps

  1. In your Salesforce developer console, go to Apps → App Manager and click New Connected App.

  2. In the Basic Information section, complete the required fields.

  3. In the Web App Settings section, select the Enable SAML checkbox.

  4. In the Entity Id field, enter the PingOne entity ID.

  5. In the ACS URL field, enter the ACS endpoint.

  6. From the IdP Certificate list, select the certificate that is used by your Salesforce IdP.

  7. Save the connected app configuration.

Adding the IdP to the PingOne authentication policy

Steps

  1. In the PingOne admin console, go to Experiences → Authentication Policies.

  2. Click the Pencil () icon to edit a policy or click Add Policy to create a new one.

  3. Select the Enable registration checkbox for the Login step.

  4. From the Population list, select a population.

  5. From the Presented Identity Providers list, select your IdP. Click Save.

    You can add your IdP to as many authentication policies as you like.

Creating a permission set in Salesforce

Steps

  1. In your Salesforce developer console, go to Users → Permission Sets. Click New.

    A screen capture of the Permission Sets window in Salesforce, highlighting the New button with a red rectangle.
  2. Complete the required fields. Click Save.

    Selecting --None-- from the license list defaults to the license of the user signing on.

  3. From the Permission Sets list, select your new permission set.

  4. From the Apps list, select Assigned Connected Apps.

  5. Click Edit and select your PingOne app, and click the arrow to move it to the Enabled Connected Apps window. Click Save.

Assigning users to the permission set

Steps

  1. From the Permission Sets list, select your new permission set.

  2. Click Manage Assignments, and then click Add Assignments.

  3. From the All Users list, select the checkboxes of the users you want to assign. Click Assign, and then click Done.

Signing on with your Salesforce IdP

Steps

Result

PingOne prompts you to create a new user.