Configure PingOne as an IdP in the Cloud Identity Engine

Learn how to configure PingOne as an identity provider in the Cloud Identity Engine for user authentication.
Configure a profile to configure PingOne as an identity provider (IdP) in the Cloud Identity Engine. After you configure the IdP profile, Configure the Cloud Identity Engine in an Authentication Profile.
  1. Enable the Cloud Identity Engine app in PingOne.
    1. If you have not already done so, activate the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select
      Authentication
      SP Metadata
      Download SP Metadata
      and
      Save
      the metadata in a secure location.
    3. Log in to PingOne and select
      Applications
      My Applications
      Add Application
      New SAML Application
      .
    4. Enter an
      Application Name
      , an
      Application Description
      , and select the
      Category
      then
      Continue to Next Step
      .
    5. Select
      I have the SAML configuration
      and ensure the
      Protocol Version
      is
      SAML v 2.0
      .
    6. Click
      Select File
      to
      Upload Metadata
    7. Copy the metadata information from the Cloud Identity Engine and enter it in PingOne as described in the following table:
      Copy From Cloud Identity Engine
      Enter in PingOne
      Copy the
      Entity ID
      from the SP Metadata page.
      Enter it as the
      Entity ID
      .
      Copy the
      Assertion Consumer Service URL
      .
      Enter the URL as the
      Assertion Consumer Service (ACS)
      .
    8. Select either
      RSA_SHA384
      or
      RSA_SHA256
      as the
      Signing Algorithm
      .
    9. (Required for MFA) If you want to require multi-factor authentication for your users, select
      Force MFA
      .
    10. Click
      Continue to Next Step
      to specify the attributes for the users you want to authenticate using PingOne.
    11. Specify the
      Application Attribute
      and the associated
      Identity Bridge Attribute or Literal Value
      for your user then select
      Required
      .
      Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
    12. Click
      Add new attribute
      as needed to include additional attributes then
      Continue to next step
      to specify the group attributes.
    13. Add
      the groups you want to authenticate using PingOne or
      Search
      for the groups you want to add then
      Continue to next step
      to review your configuration.
  2. Add an IdP Provider profile in the Cloud Identity Engine app.
    1. Select
      Authentication
      Identity Providers
      .
    2. Click
      Add IDP Provider
      .
    3. Enter a
      Profile Name
      .
    4. Select
      PingOne
      as your
      IdP Vendor
      .
  3. Select the method you want to use to
    Add Metadata
    and
    Submit
    the IdP profile.
    • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
      1. In PingOne, select
        Applications
        My Applications
        then select the Cloud Identity Engine app.
      2. Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
        Copy or Download From Okta Admin Console
        Enter in Cloud Identity Engine IdP Profile
        Copy the
        Issuer
        ID.
        Enter it as the
        Identity Provider ID
        .
        Download
        the
        Signing Certificate
        .
        Click to Upload
        the certificate from the Okta Admin Console.
        Copy the
        Initiate Single Sign-On (SSO) URL
        .
        Enter the URL as the
        Identity Provider SSO URL
        .
      3. Select the
        HTTP Binding for SSO Request to IdP
        method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
        HTTP Redirect
        , which transmits SAML messages through URL parameters or
        HTTP Post
        , which transmits SAML messages using base64-encoded HTML).
      4. Specify the
        Maximum Clock Skew (seconds)
        , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    • If you want to upload a metadata file, download the metadata file from your IdP management system.
      1. In PingOne, select
        Applications
        My Applications
        then select the Cloud Identity Engine app.
      2. Download
        the
        SAML Metadata
        .
      3. In the Cloud Identity Engine app,
        Click to Upload
        the metadata file, then
        Open
        the metadata file.
    The Cloud Identity Engine does not currently support the
    Get URL
    method for PingOne.
  4. Test SAML setup
    to verify the profile configuration.
    This step is required to confirm that your firewall and IdP can communicate.
  5. If your IdP is configured to require users to log in using multi-factor authentication (MFA), select
    MFA is enabled on the IDP
    .
  6. Select the SAML attributes you want the firewall to use for authentication and
    Submit
    the IdP profile.
    1. In the Okta Admin Console,
      Edit
      the
      User Attributes & Claims
      .
    2. In the Cloud Identity Engine, select the
      Username Attribute
      and optionally, the
      Usergroup Attribute
      ,
      Access Domain
      ,
      User Domain
      , and
      Admin Role
      .
      You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.

Recommended For You