Tutorial: How to Configure SAML with PingOne SSO
This is a step-by-step guide for configuring SAML on Access Server with PingOne SSO.
Overview
Access Server supports authentication using SAML with PingOne as the identity provider. You can configure this in PingOne with Access Server as your service provider.
The following steps walk you through enabling SAML authentication for users and groups from PingOne to Access Server.
You need the following to get started:
A deployed Access Server.
Important
We recommend using all lowercase usernames when signing in with SAML.
With PingOne, you must create a custom SAML application.
Now that you have your SP information, you can create a new PingOne SAML app and enter that information during app creation:
Sign in to your PingOne admin portal.
Under Applications, click Applications.
Click + to add a new SSO app.
Provide a name under Application Name.
Click SAML Application under Application Type.
Click Configure.
Under SAML Configuration, click Manually Enter.
Use the SP information from Access Server to enter the following into the PingOne app:
ACS URLs: Enter the Access Server SP ACS.
Entity ID: Enter the Access Server SP Identity.
Click Save.
Under Attribute Mappings, click the Pencil icon.
Under PingOne Mappings, select Email Address.
Click Save.
Enable the PingOne SAML App by clicking on the Toggle next to the SAML App.
The simplest way to set up PingOne SAML for Access Server is to provide the metadata to Access Server. You can download a metadata XML file or copy over the data for a manual configuration.
Option 1: Download the PingOne metadata file for automatic configuration
With your new app, click the Configuration tab.
Under Connection Details, click Download Metadata.
Option 2: Copy the PingOne SAML data for manual configuration
With your new app, click the Configuration tab.
Copy the contents in Issuer ID, Single Signon Service, and click Download Signing Certificate to download the certificate in PEM format (.crt file)
Now that you have the metadata, you can provide it to your Access Server through the Admin Web UI to automatically configure SAML by following option one.
If you copied the SAML data, follow the steps in option two to paste it into the SAML tab in your Access Server Admin Web UI.
Option 1: Upload the PingOne metadata file in the Admin Web UI.
Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:
Sign in to the Admin Web UI.
Click Authentication.
Click the SAML tab.
Set Enable SAML authentication to Enabled.
Under Configure Identity Provider (IdP), click Configure using metadata URL/file.
The Configure using metadata modal displays.
Click Click to upload to select your XML file or drag and drop it into the modal window.
The Identity Provider data populates the corresponding fields.
Click Save and Restart.
Option 2: Manually configure PingOne SAML
Sign in to the Admin Web UI.
Click Authentication.
Click the SAML tab.
Set Enable SAML authentication to Enabled.
Under Configure Identity Provider (IdP), manually enter the Auth0 configuration data into the appropriate fields:
Paste the PingOne Issuer ID into Access Server’s IdP Entity ID.
Paste the PingOne Single Signon Service into Access Server’s SSO (Single Sign-On) Endpoint.
Paste the PingOne certificate.crt into Access Server’s Certificate (PEM format).
Click Save and Restart.
You can now enable SAML as the global default authentication or for specific groups and users.
You can automate group assignments for access control rules using a post-authentication Python script.
Refer to the steps in this tutorial: