How to configure PingOne for Enterprise for SSO

This topic details how to configure PingOne for Enterprise single sign-on (SSO). PingOne for Enterprise is a cloud-based authentication provider.

This topic is part of Phase Two in Configuring SAML SSO authentication. For an overview of the complete process, see Working with SAML for single sign-on (SSO).

IMPORTANT  Before completing these steps, you will need to follow the steps in Prepare Venafi Platform for SAML SSO. You will need configuration information from the Venafi Service Provider Metadata XML file to complete this process.

You must have an existing functional PingOne for Enterprise deployment to use these steps. These instructions detail how to add a new Application (Venafi Platform) to PingOne. Consult the PingOne for Enterprise documentation if you need to configure PingOne to obtain data from your identity store.

Before you begin, you will want to consult with your identity provider management team to determine who should be able to authenticate to Venafi Platform via PingOne for Enterprise. You'll need that information near the end of the procedure below.

IMPORTANT  While Venafi makes an effort to provide accurate information on third-party integration steps, these steps may differ for your service provider, especially as identity providers release new updates. If you have questions about how to use this third-party integration, we recommend you start with the vendor's documentation and support teams. These instructions should be considered a template, not definitive steps. Your specific steps may vary, depending on how your organization integrates with each third-party platform.

To configure PingOne for Enterprise single sign-on

  1. Log in to PingOne for Enterprise, and click Applications.
  2. Navigate to Add ApplicationNew SAML Application.
  3. Give the application a descriptive name for your Venafi cluster, and provide a description and choose a category.
  4. Click Continue to Next Step.
  5. Next to SAML Metadata, click Download. We refer to this file as the IDP Metadata XML file in our documentation..

    Save this file to your Venafi Platform server in a place you can find it later.

  6. Ensure the protocol version is SAML v 2.0.
  7. Under Upload Metadata, click Select File, then browse to the Venafi Service Provider Metadata XML file you exported from Venafi Platform, and select it.
  8. The following fields are described below:

    • The Assertion Customer Service (ACS) field will be automatically filled out from the uploaded Service Provider Metadata XML file.
    • The Entity ID will be automatically filled out from the uploaded Service Provider Metadata XML file. This is a unique string PingOne uses to identify the application when communicating with it.
    • For Application URL, you can leave blank.

      This feature, if used, provides the starting URL for a user, if you don't want them being taken directly to the Aperture dashboard. For example, you could specify the SSH Protect dashboard, or the Certificate Inventory URL. This URL will be used when a user clicks on the Venafi application on their PingOne dashboard. This field is not honored if authentication was started by Venafi Platform. If you use this field, use the FQDN to the page.

    • Single Logout Endpoint, Response Endpoint, Binding Type. These settings are not supported in this version of Venafi Platform, so leave blank.
    • Primary/Secondary Verification Certificate. Since version 23.1 doesn't support signing authentication requests, leave blank.
    • Encrypt Assertion. Since version 23.1 doesn't support encrypted SAML responses, leave blank.
  9. Change the Signing option to Sign Response.
  10. Leave the Signing Algorithm to the default, which is RSA SHA256.
  11. If you want to force re-authentication for users, even if they already have an active PingOne session, select Force Re-Authentication.
  12. If needed, modify the subject of the SAML assertion.

    By default, PingOne sends the username as the NameID within the subject of the SAML assertion. If you need to have something different sent instead (like email address), you need to define appropriate attribute mapping on this screen.

    More information can be found in PingOne's documentation: https://docs.pingidentity.com/bundle/pingone/page/xsh1564020480660-1.html.

  13. In Group Access, click Add next to groups that should have access to Venafi Platform.

    If you want all users to have access, click Add next to Users@directory.

  14. Review your settings, then click Finish.

IMPORTANT  When you test PingOne, if you get an error on a login attempt that says "SAML authentication failed" with an InvalidSignatureException, try disabling assertion signing in step 9, above. This is due to a problem in .NET.

If disabling assertion signing doesn't work, please contact Venafi Support.

You are ready to finish configuring SSO in Venafi Configuration Console. See Importing Identity Provider Metadata XML into Venafi Configuration Console for SAML.