Set up PingOne

Configure single sign-on (SSO) for your PCD environment using PingOne as a SAML 2.0 identity provider.

Configure single sign-on (SSO) for your PCD environment using PingOne. This integration allows users to authenticate to PCD using their existing PingOne credentials.

Prerequisites

Before you begin, ensure you have:

Administrative access to PingOne.
Administrative access to your PCD environment.
Your PCD domain FQDN (fully qualified domain name), without the region name.
Users created in PingOne who need access to PCD.

Step 1: Create a SAML application in PingOne

Create a new SAML application in PingOne to handle the SSO integration.

Log in to PingOne.
Navigate to Applications, and then select + to create a new application.
Enter a unique name for the application.
For application type, select SAML Application.

For SAML Configuration method, select Manually Enter, and then configure the following fields.

Field

Value

ACS URLs

https://<DU_FQDN>/keystone

Entity ID

https://<DU_FQDN>/sso/IDP1/Shibboleth.sso/SAML2/POST

NOTE

Replace <DU_FQDN> with your actual domain FQDN without the region name. For example, use companyx instead of companyx-regionone.

Save the application and enable it.

On the application page, go to Attribute Mappings.
Add the attributes required for PCD authentication and group membership. At minimum, configure attributes for the user's identifier, email, first name, last name, and group membership.

NOTE

The names you assign to each attribute. You will reference these names in the attribute map XML and SAML group configuration in PCD.

Step 2: Assign users and groups in PingOne

Create a group in PingOne, add users to the group, and assign the group to the SAML application.

Navigate to Groups in PingOne.
Create a new group and enter a name.
Select the group you created, and then add the users who need access to PCD.
Go to Applications, and then select the SAML application you created in Step 1.
Go to the Access tab, and then select the edit option.
Search for the group name, select it, and then select Save.

Step 3: Configure SSO settings in PCD

Configure your PCD environment to use the PingOne SSO integration.

Log in to your PCD environment.
Navigate to Settings > Enterprise SSO.
On the Enterprise SSO page, enable SSO, and then configure the following settings.
Field
Description
SSO Provider
Select PingOne from the available options.
Entity ID
Copy the Issuer ID from the Connection Details section of your PingOne application Overview tab, and paste it here.
SAML Metadata URL
Copy the IDP Metadata URL from the Connection Details section of your PingOne application Overview tab, and paste it here.
SSO Provider Attribute Map in XML
Paste the attribute map XML that covers all attributes added to your PingOne application. See the sample in step 4.

Construct the attribute map XML to cover all attributes added to the PingOne application. Use the following sample as a starting point.

<Attributes
    xmlns="urn:mace:shibboleth:2.0:attribute-map"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- User ID (PingOne UI label) -->
    <Attribute
        id="saml_subject"
        name="saml_subject"
        nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- Email Address -->
    <Attribute
        id="email"
        name="email"
        nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- TBD: Add remaining attributes (firstname, lastname, groupnames, etc.) per SE-provided complete sample -->

</Attributes>

Paste the completed attribute map XML into the SSO Provider Attribute Map in XML field.
Select Save.

Your PCD SSO connection to PingOne is now configured.

Step 4: Configure SAML groups in PCD

Set up SAML groups to manage user permissions and role assignments in PCD.

On the Enterprise SSO page, select SAML Groups.
Select Add Group.
Configure the group settings.
Field
Description
Name
Enter a unique name for the group.
Description
Enter a brief description of the group.
SAML Attribute Key for First Name
Enter the attribute key for the user's first name (for example, firstname).
SAML Attribute Key for Last Name
Enter the attribute key for the user's last name (for example, lastname).
SAML Attribute Key for Email
Enter the attribute key for the user's email (for example, email).

NOTE

The attribute keys must match those configured in your attribute map XML and in your PingOne application's attribute mappings.

For Username Attribute Mapping Template and Email Attribute Mapping Template, enter a template using the format {attributeKey}, where attributeKey corresponds to attributes configured in PingOne.
Configure the group mapping.
Field
Description
SAML Group Attribute
Enter the group attribute name configured in your PingOne attribute mappings (for example, groupnames).
Criteria
Select Any one of.
SAML Group Values
Enter the name of the group configured in PingOne (for example, Admingroup).
Under Tenants & Roles, assign the group to appropriate tenants and roles (Administrator or Self-Service User).
Select Save.

Your SAML group is now configured in PCD.

Step 5: Test the SSO configuration

Verify that your PingOne SSO integration works correctly.

Log out of your current PCD session.
Open a new private or incognito browser window.
Navigate to your PCD login page.
Select Sign In with SSO.
Complete the authentication process using your PingOne credentials.
Verify you can access PCD resources according to your assigned role.

You have now successfully configured SSO integration between PCD and PingOne. Users can authenticate using their existing PingOne credentials and access PCD resources based on their assigned roles and permissions.

PreviousSSO with pcdctl NextSet up Duo

Last updated 14 days ago

Was this helpful?