PingId Single Sign-On

To set up a single sign-on with the PingId provider, you’ll need to create two applications in your PingId environment:

• OAUTH2 WORKER application for groups’ synchronization
• SAML application for users’ authentication

Order

The below order of actions is essential not to lose control over your SAFEQ Cloud account.

1. Set up the authentication provider.
2. Do initial groups’ synchronization for your Ping authentication provider.
3. Create Access Control records for the imported groups. Make sure that you will retain an administrative role in SAFEQ Cloud when you log in using your PingId identity. You must create access control records with the Administrators role for the group that you are a member of.
4. Set up SAML

OAuth2 configuration

Before you begin using your Single Sign-On authentication, you may want to synchronize groups and configure their access (see Access Control).

Group synchronization with PingId is done using OAuth2 authentication of the user with administrative privileges for the worker application you will set up in this chapter.

1. In PingIdentity, create a new application of the worker type.
   

   

2. Enter the application name and description.
   

   

3. On the configuration page, set the following:
   1. In response type, select Code.

   2. In Redirect URIs, enter http://127.0.0.1:7311/oidc/callback, https://acme.eu.ysoft.cloud:8443/callback/ping (where acme.eu.ysoft.cloud is the account domain name of SAFEQ Cloud server).
      

      

      Note that the redirect URL with 127.0.0.1 is necessary for the SAFEQ Cloud client to work correctly with Ping authentication.

   3. In Grant type, select Authorization code, refresh token.
   4. In Token endpoint authentication, select None.
4. On the Resources page, set:
   • In Scope grants, select email (openid), profile (openid).
5. On the Attribute mappings page, set:
   • Username = sub
6. For security reasons, you must remove any roles from this application. This will make it impossible to use it without an OAuth2 token, which is never stored anywhere and acquired only in interactive mode.
   

   

7. Register and configure the authentication provider in SAFEQ Cloud Web UI. use the following values in the configuration of the new authentication provider.
   

   

8. Save the authentication provider and open it again in the view mode. You’ll see the SYNC GROUPS button. Click it to see the PingId authentication form.
9. Authenticate with credentials of a user who has the permission to read groups. Follow on-screen instructions. When the form closes, groups synchronization is complete.
   

   

   
   

SAML configuration

1. In PingIdentity, create a new application of web app type.
   

   

2. On the Configuration tab, fill in the redirect URL: https://_yourdomain_:8443/assertion/saml. In this example, we assume that domain name for SAFEQ Cloud application is testaccount1.
   

   

   
   
3. On the same page, fill in a unique Entity ID. We recommend to use your domain, which is supposed to be unique.
   

   

4. Create the attribute mappings:
   

   

   PingId attribute	Mapped name
   Given Name	fname
   Family Name	lname
   Groups IDs	group_membership
   Group Names	group_membership_names

5. Download the metadata file.
   

   

6. This file contains all necessary information for SAML configuration, including generated by PingId certificate for assertion verification. Place this file in your /conf folder and set up Single Sign-On in your SAFEQ Cloud application:
   

   

7. SSO issuer ID should be the same string that you entered as Entity ID in your PingId application configuration (https://testaccount1).
8. Test your single sign-on. Each time a user logs in to SAFEQ Cloud using it, their name and group membership will be synchronized with PingId.
9. Use the SYNC GROUPS button each time you change groups in PingId.