Configuring PingOne as Identity Provider

PingOne is a cloud-based identity and access management (IAM) platform developed by Ping Identity. It provides solutions for managing user identities and securing access to applications and services.

This article provides a step-by-step guide to configuring PingOne as the Identity Provider for all the services you use.

Prerequisites

1. Please make sure you have created the SSO configuration for the service for which you want to set PingOne as the Identity Provider.

2. Also, make sure that the user(s) is present in the PingOne portal and the respective service’s portal that you are trying to access.

3. The same user(s) must be present in Scalefusion, and the SSO configuration of the respective service is applied to it.

Step 1: Configuring PingOne as an Identity Provider on Scalefusion dashboard

1. Navigate to OneIdP > Identity Providers.

2. Click on the New Provider button.
   

   

3. Select PingIdentity and click on Next.
   

   

4. Provide a name to this configuration for easy identification.
   

   

5. Service Provider Details will be added in the PingOne Admin Console as shown in Step 2.

6. IdP Details will be generated on the PingOne Admin Console as shown in Step 2.

Step 2: PingOne SAML Setup in PingOne Admin Console

1. Log into your PingOne Admin console.

2. Navigate to Applications > Applications.

3. In this page click on the plus button next to Applications on the top left-hand side.
   

   

4. Provide a name to this configuration for easy identification.

5. Select SAML Application under Application Type and click on the Configure button.
   

   

6. On the next page, select Manually Enter and add the ACS URLs and Entity ID from the Scalefusion dashboard here.

   1. ACS URL will be the OneIdP SSO URL.
      

      

      
      

7. Click on Save.

8. On the next page, go to the Attribute Mappings tab and click the Edit icon.
   

   

   1. Change the PingOne Mappings to Email Address and click on Save.
      

      

9. Next, go to the Configuration tab and click on the Edit icon.
   

   

   1. Here change the Sign… to Sign Assertion & Response.
      

      

   2. Scroll down a little and add the SLO Endpoint URL from the Scalefusion dashboard here.
      

      

      
      

   3. Next, add the  OneIdP SLO Response Endpoint URL from the Scalefusion dashboard to the SLO Response Endpoint field.
      

      

      
      

   4. Click on Save.

10. Next, toggle On the button on the top.
    

    

11. Next, go to the Overview tab and scroll down to Connection Details.
    

    

    1. Copy the Issue ID URL, Single Signon Service URL, and Single Signout Service URL and save them, as these will be used on the Scalefusion dashboard.

    2. Download the X509 PEM (.crt) by clicking on the “Signing Certificate” button as this will be uploaded on the Scalefusion dashboard.
       

       

Step 3: Adding PingOne Saml setup details to the Scalefusion dashboard

1. On the Scalefusion dashboard, enter the saved URLs from Step 2 in the respective fields.

2. Upload the x509 certificate that you downloaded in Step 2.

3. Click on Save.
   

   

Step 4: Associating PingOne Identity Provider with a Directory

1. Navigate to OneIdP > Directory.

2. Click on the 3-dots under Actions for the concerned Domain.

3. Click on Settings.
   

   

4. Go to the Federated Authentication tab and toggle on the button for PingOne as an Authentication source.
   

   

5. You can also “Set default authentication source”.
   

   

   1. On setting a default authentication source, whenever you add any new user in the Scalefusion dashboard and migrate it to OneIdP, the default Authenticator would be PingOne.
      

      

6. Click on Next and Save.

7. For existing users that are present in the Scalefusion dashboard, you can change the default authentication source by going to 3-dots under Actions > Update Authentication Source.
   

   

8. Select PingOne from the drop-down list for “Set Authentication Source” and click on Update Now.
   

   

User Login Flow

When the user enters their email on the service login page, they will be redirected to OneIdP. From there, OneIdP will redirect the user to the chosen identity provider (PingOne, in this case) for authentication. Once the identity provider authenticates the user, they will be granted access to the service.