Skip to main content

Tutorial: How to Configure SAML with PingOne SSO

Abstract

This is a step-by-step guide for configuring SAML on Access Server with PingOne SSO.

Overview

Access Server 2.11 and newer supports authentication using SAML with PingOne as the identity provider. You can configure this in PingOne with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users and groups from PingOne to Access Server.

Prerequisites

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

Step 1: Create the PingOne SAML application

With PingOne, you must create a custom SAML application.

Now that you have your SP information, you can create a new PingOne SAML app and enter that information during app creation:

  1. Sign in to your PingOne admin portal.

  2. Under Applications, click Applications.

  3. Click + to add a new SSO app.

  4. Provide a name under Application Name.

  5. Click SAML Application under Application Type.

  6. Click Configure.

  7. Under SAML Configuration, click Manually Enter.

  8. Use the SP information from Access Server to enter the following into the PingOne app:

    1. ACS URLs: Enter the Access Server SP ACS.

    2. Entity ID: Enter the Access Server SP Identity.

  9. Click Save.

  10. Under Attribute Mappings, click the Pencil icon.

  11. Under PingOne Mappings, select Email Address.

  12. Click Save.

  13. Enable the PingOne SAML App by clicking on the Toggle next to the SAML App.

Step 2: Copy or download the PingOne metadata

The simplest way to set up PingOne SAML for Access Server is by providing metadata to Access Server. You can download a metadata XML file or copy over the data for a manual configuration.

Option 1: Download the PingOne metadata file for automatic configuration

  1. With your new app, click the Configuration tab.

  2. Under Connection Details, click Download Metadata.

Option 2: Copy the PingOne SAML data for manual configuration

  1. With your new app, click the Configuration tab.

  2. Copy the contents in Issuer ID, Single Signon Service, and click Download Signing Certificate to download the certificate in PEM format (.crt file)

Step 3: Configure PingOne SAML data with Access Server

Now that you have the metadata, you can provide it to your Access Server through the Admin Web UI to automatically configure SAML by following option one.

If you copied the SAML data, follow the steps in option two to paste it into the SAML page for Access Server.

Option 1: Upload the PingOne metadata file in the Admin Web UI.

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. In the field Select IdP Metadata, click Choose File to upload the XML file you downloaded from PingOne, then click Upload and Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

Option 2: Manually configure PingOne SAML

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Manually to expand the section.

  4. Paste the following from PingOne into the Access Server fields:

    • Access Server Sign On Endpoint: PingOne Single Signon Service.

    • Access Server IdP EntityID: PingOne's Issuer ID.

    • Access Server Certificate (PEM format): PingOne's certificate.crt.

Step 4: Assign SAML as user authentication

In this section: