PingID

PingID is a multi-factor authentication (MFA) solution that integrates with existing identity systems to provide secure authentication and can also be used as part of a SAML (Security Assertion Markup Language) SSO (Single Sign-On) implementation that allows users to access multiple applications with a single set of credentials.

Key benefits of using PingID with SAML SSO include:

• Stronger security through MFA.
• Centralized authentication management.
• Audit trails of authentication events.
• Compliance with organizational security and regulatory requirements.

Configuring PingID SAML SSO in the Itential Platform

Beginning with the 2023.2 release, access management in the Itential Platform was expanded to include SAML SSO Authentication. Itential also supports PingID as an Identity Provider (IdP). This article explains how to set up a SAML SSO between Itential Platform and PingID.

Prerequisites

Itential assumes the reader has completed the process of setting up SAML SSO Authentication in Itential Platform via Admin Essentials, and has mapped their Identity Provider (Itential Platform → Admin Essentials → Authorization → Identity Providers).

Please keep in mind that each organization may have their PingID system configured differently and this guide is not all-inclusive of every system environment.

• A basic guide to configuring PingID as a SAML Identity Provider (IdP) is available on the Ping Identity site: Configuring a SAML Application

• A short demo of how to setup PingID and a "test application" to work with SAML SSO is shown in this resource video:

Adding PingID Attributes

When configuring an Identity Provider ("IdP") in the Itential Platform, you will need to enter an Entity ID (called the "Issuer") that identifies the identity provider.

1. Sign in to PingID and go to the Itential Platform application that was setup under Applications.

2. Under SAML Configuration copy the Entity ID (Figure 1). This will be used to satisfy the Issuer parameter .

3. Sign in to Itential Platform and navigate to the Identity Providers Configuration tab (Admin Essentials → Authorization → Identity Providers → Configuration).

4. Paste the Entity ID into the Issuer field (Figure 2).

   Figure 1: PingId Entity ID
   

   Figure 2: Itential Platform IdP Issuer Field
   

    

5. In the PingID administrative console, go to the Applications → Configuration tab and copy the Single Signon Service key (Figure 3). This will be used to satisfy the Login URL parameter on the Itential Platform Identity Providers → Configuration form (Figure 4).

6. Download the Signing Certificate file from the PingID administrative console (Applications → Configuration tab) and then upload the certificate file to the Identity Providers → Configuration form by drag-and-drop, or use the Click to Browse link to find and select the file to upload (Figure 4).

   Figure 3: PingID Single Signon Service Key & Signing Certificate
   

   Figure 4: Itential Platform IdP Login URL & Certificate Upload
   

    

7. In the PingID administrative console, go to the Applications → Attribute Mappings tab and copy the Username, Group Names, and Email Addresses under the PingOne column (Figure 5).

8. In Itential Platform, on the Identity Providers → Configuration tab, paste the PingID:

   1. Username in the Username Attribute field
   2. Group Names in the Groups Attribute field
   3. Email Addresses in the Email Attribute field

   Figure 5: PingID Attribute Mappings
   

   Figure 6: Itential Platform IdP Attribute Fields
   

9. Click the Save button at the top of the Identity Providers page (next to Test Connection) to retain all your inputs (Figure 6).

Testing the PingID Configuration

To enable PingID in Itential Platform, you will need to test the config. You can initiate testing by clicking the Test Connection button at the top of the Identity Providers page (under the Configuration tab name). This will initiate SSO SAML authentication with PingID in a new tab and a message will display to indicate if testing is successful or not.

If the message indicates a successful test connection, then all parameters are set correctly and you can close the tab. With a successful test connection, you should have Groups showing from the Authentication Server that you can map to Itential Platform. You will want to map at least the pronghorn admin group to give permissions within Itential Platform.

Figure 7: Successful Test Message

If you receive an unsuccessful message, there might be a problem with the parameters or certificate that was provided. Check your configured SAML settings to verify all attributes are mapped correctly.

Figure 8: Unsuccessful Test Message

Enabling PingID SSO

Lastly, you will need to enable PingID SAML to direct users to use SSO to login. The PingID IdP is disabled by default.

Navigate to the Identity Providers list view (Itential Platform → Admin Essentials → Authorization → Identity Providers). Locate the IdP (PingID) and slide the toggle switch to activate as Enabled. Once PingID is enabled, the Itential Platform authentication method immediately switches to SSO SAML.

Figure 9: Enable Identity Provider