Configuring Ping Identity PingOne for Single Sign On (SSO)

Observe supports Ping Identity’s PingOne as an Identity Provider (IdP) using Security Authentication Markup Language (SAML).

Note

Use of stem names instead of Observe Customer IDs is not supported at this time.

Configuring PingOne

  1. Log into your PingOne portal as the admin and choose Applications > Applications and select the + icon to add a new application.

  2. Fill out the Application Name and Description fields to indicate this is application is associated with your Observe tenant.

  3. If you would like to add the Observe icon, you can download it from here.

  4. For Application Type choose SAML Application and continue via the Configure button.

  5. Under the SAML Configuration section, select the Manually Enter option, and set the following values and select save:

    • ACS URL - enter the URL https://${OBSERVE_CUSTOMER_ID}.observeinc.com/auth/saml2/callback. Replace ${OBSERVE_CUSTOMER_ID} with your tenant ID.

    • Entity ID - enter the URL https://${OBSERVE_CUSTOMER_ID}.observeinc.com/auth/saml2/callback. Replace ${OBSERVE_CUSTOMER_ID} with your tenant ID.

6. In the Overview tab copy the Initiate Single Sign-On URL value. This will be something similar to https://auth.pingone.com/${GUID}/saml20/idp/startsso?spEntityId=https://${OBSERVE_CUSTOMER_ID}.observeinc.com where ${GUID} is a value specific to your PingOne account, and ${OBSERVE_CUSTOMER_ID} is your tenant ID.

Observe SAML settings

Figure 1 - Ping One Application Overview

7. Navigate to the Configuration tab, and under the Connection Details section, select Download Signing Certificate, and select the X509 PEM (.crt) option.

Observe SAML settings

Figure 2 - Ping One Application Configuration

Attribute Mapping

Navigate to the Attribute Mappings tab, set the following values and save them. Note that the Observe values are case sensitive:

Observe

PingOne

saml_subject

Email Address

email

Email Address

firstName

Given Name

lastName

Family Name

Group Membership Attributes

Observe supports the sending of group membership claims via SAML. The field mapping for Group Names support is as follows.

Observe

PingOne

groups

Group Names

Configuring Observe

  1. Navigate to https://${OBSERVE_CUSTOMER_ID}.observeinc.com/settings/customer, where ${OBSERVE_CUSTOMER_ID} is your tenant ID. You should see a configuration page for SAML configuration.

Observe SAML settings

Figure 3 - Observe Settings

2. Paste the Initiate Single Sign-on URL from Step 7 into the Entry Point field.

3. Open X.509 certificate from Step 8 in a text editor. Copy the certificate details and paste them into the Cert field for Observe.

4. Click Add SAML Provider.