PingID Single Sign-On

To set up a single sign-on (SSO) with the PingID provider, you must create two applications in your PingID environment:

• OAuth2 Worker application for authentication and group synchronization
• SAML application for users’ SSO

Order

Make sure to perform the following actions in the correct order, otherwise you might disable your existing authentication to your SAFEQ Cloud tenant. These steps are: 

1. Set up the authentication provider in SAFEQ Cloud using a PingID Worker application.
2. Perform group synchronization for your PingID authentication provider.
3. Create Access Control records for the imported groups. Make sure that you will retain an administrative role in SAFEQ Cloud when you log in using your PingID identity. You must create access control records with the Administrator role for the group where you are a member.
4. Set up SAML SSO for your SAFEQ Cloud tenant.

OAuth2 Configuration

Authentication to PingID is done via the PingID OAuth Worker application. 

Group synchronization with PingID is done via OAuth2 authentication of a user with administrative privileges for the Worker application.

Creating the Worker application

1. Log into your PingID environment. Go to Applications and click + to create a new application.
   

   

2. Enter the Application Name , an optional Description , and select Worker as the Application Type.
   

   

    
3. Click Save .

Configuring the Worker application

1. Once saved, select the Configuration tab, and click the pencil icon to edit it.
2. In Response Type, select Code.
3. In Grant Type, select:
   1. Authorization Code. Also, in the PKCE Enforcement field, select OPTIONAL.
   2. Refresh Token.
4. Disable (uncheck) the Client Credentials grant type.
   

   

5. In Redirect URIs, enter the following:
   
   1. http://127.0.0.1:7311/oidc/callback
      
      

      This redirect address is essential for the SAFEQ Cloud Client to work correctly with PingID authentication.

   2. https://<your SAFEQ Cloud domain>/callback/ping
      

      

      
      
6. In Token Endpoint Authentication Method, select None.
7. Click Save.

Selecting Resources

1. Once saved, click the Resources tab, then click the pencil icon to edit it. Enable the following scopes:
   1. email (OpenID Connect)
   2. profile (OpenID Connect)
      

      

2. Click Save.

Mapping the attributes

1. Once saved, click the Attribute Mappings tab, then click the pencil icon to edit. You should see one Attribute Mapping — sub = User ID.
2. Change this mapping to sub = Username.
   

   

3. Click Save.

Removing roles

1. Once saved, select the Roles tab. If there are any Roles listed, click the Trash icon to delete them, and Save once all are removed. If none are listed, proceed to the next step. 
   

   

   
   
   

   For security reasons, it is essential to remove all roles from this application. This will restrict the ability to use the application without an OAuth2 token. OAuth2 token is more secure because it is not stored anywhere and acquired only in interactive mode.

Enabling the Worker application

1. Click the Overview  tab and click the slider in the top-right corner to enable your application. This will automatically save it. 
   

   

2. Leave this page open as you will need access to some of the application IDs displayed there.
   

Configuring the PingID Authentication provider in SAFEQ Cloud Web UI

Now that the configuration on the PingID side is complete, proceed to register and configure the Authentication Provider in SAFEQ Cloud.

1. Log into SAFEQ Cloud Web UI and go to Authentication.
2. Click Add to add a new provider.
3. In Type, select Client (OAuth2).
   

   

4. In Name, enter the Authentication provider name.
5. In Domains, list all of the domains present in your PingID environment that will need to authenticate to SAFEQ Cloud. For example, to allow user john.doe@acme.com to log in via this Authentication provider, enter the  acme.com  domain here.
6. In Identity provider, select Ping OAuth 2.0.
7. In Custom application ID, paste the Client ID from your PingID application Overview tab.
8. In Ping environment ID, paste the Environment ID from your PingID application Overview tab.
9. Ping region is the region in which your PingID environment is registered. You can determine it from your PingID Console URL which is in the format of  https://console.pingone.[region]. Alternatively, you can find it in any of the URLs listed under your PingID OAuth application Configuration tab such as https://auth.pingone.[region]/[client]/as/authorize
10. In Callback domain for custom application, enter the SAFEQ Cloud tenant address you used as the Redirect URI in your PingID OAuth application configuration.
11. Click Save.

For more details on the available options for OAuth2 authentication, see Client authentication.

Synchronizing groups

After creating and saving your new Authentication provider, you can perform group synchronization, which will allow you to manage Access Control of your SAFEQ Cloud tenant via PingID group membership.

To synchronize groups perform the following steps:

1. In SAFEQ Cloud Web UI Authentication section, click the Edit icon for your PingID provider.
2. Click SYNC GROUPS.
   

   

3. You will be redirected to the PingID login page.
4. Log in with an account that has permission to read groups and follow the on-screen instructions. When the form closes, group synchronization is complete. For more details, see Client authentication, section Sync groups.
5. You will now be able to search for PingID groups on the SAFEQ Cloud ">Access Control page. For more details, see Access Control.

SAML Configuration

The redirect URL for the PingID SAML application is https://<your SAFEQ Cloud domain>:8443/assertion/saml. For example, https://acme.eu.ysoft.cloud:8443/assertion/saml. The port is either 8443 or 443 in environments with reverse proxy infrastructure.

1. To create a SAML application, log into your PingID environment and go to  Applications. Click +  to create a new application. 
2. Enter the Application Name , and an optional  Description. Select SAML Application as the Application Type.
   

   

   
   
3. Click Configure .
4. In Provide Metadata Configuration, select Manually Enter, and add the following:
   1. In ACS URL, enter https://<your SAFEQ Cloud domain>:8443/assertion/saml. The port is either 8443 or 443 in environments with reverse proxy infrastructure
   2. In Entity ID, enter a unique identifier for this application. We recommend you to use your SAFEQ Cloud tenant address.
      

      

5. Next, click the  Attribute Mappings  tab and create attribute mappings as per the following table. Be aware that it is likely PingID will default the attribute saml_subject to User ID . You must change it to Username.
   

   Attributes	PingOne Mappings
   saml_subject	Username
   fname	Given Name
   group_membership	Groups IDs
   group_membership_names	Group Names
   lname	Family Name

   
   

   

   
   
6. Once the attribute mappings are complete, enable the application using the slider in the top right of the page.
7. Click the Configuration tab of your SAML application and copy the IDP Metadata URL . 
   

   

   
   
8. Log in to SAFEQ Cloud Web UI and go to Authentication > Single sign-on.
9. Paste the IDP Metadata URL into the SSO XML metadata URL field.
   

   

   
   
10. The SSO issuer ID must be the same string that you entered as the Entity ID in your PingID application configuration.
11. Set SSO method to SAMLv2.
12. Click Save.
13. Test your SSO by opening the SAFEQ Cloud Web UI login page. This will redirect you to the PingID authentication page. Log in with any user account from your PingID environment.  

Every time a user logs into SAFEQ Cloud using SAML SSO, their given/family names and group membership will be synchronized from PingID.