Configuring Ping Identity Single Sign-On Integration with SAML
Ping Identity software provides federated identity management and intelligent access so users can connect securely to the cloud, mobile, and on-premises apps. The platform uses adaptive authentication and SSO for single-click access to all apps. This prevents security breaches and helps with the management of sensitive data.
- Using Security Assertion Markup Language (SAML), a user can use their managed account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO). An Identity Provider (IdP) service provides administrators with a single place to manage all users and cloud applications.
- You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IdP service provides your users with a unified sign-on across all their enterprise cloud applications.
- Acunetix 360 supports the SAML methods both IdP initiated and SP initiated.
- You can also create a new user in Acunetix 360 with the Enable Auto Provisioning option.
Information You have to use IdP-initiated SSO if you want to utilize Auto Provisioning. If you will use SP-initiated SSO, please set the Name ID Format value to the email address on the IdP side. |
Single Sign-On Fields
This table lists and explains the Single Sign-On fields in the Ping Identity Single Sign-On window.
Field | Description |
Enable | Select this option to enable the single sign-on feature. |
Enforce to authenticate only with single sign-on | Enable this option so only administrator users can authenticate without single sign-on. Users can only sign in to Acunetix 360 by using the email address that belongs to their employer. |
IdP Identifier | This is the SAML identity provider’s Identifier value. |
SAML 2.0 Service URL | This is the Consumer URL value (also called the SSO Endpoint or Recipient URL). |
SAML 2.0 Endpoint | This is the URL from your IdP's SSO Endpoint field. |
X.509 Certificate | This is the X.509 certificate value. |
How to add an application to Ping Identity
- Log in to your Ping Identity account.
- From the main menu, select Connections > Applications.
- From the Applications page, select the + (plus) sign.
- Enter your application name, then select SAML Application. (For this example, the application's name is Acunetix 360.)
- Select Configure when available after selecting the SAML Application.
- From the SAML Configuration, select Manually Enter.
- Open a separate tab and log in to Acunetix 360.
- From the Acunetix 360's main menu, select Settings > Single Sign-On.
- Copy SAML 2.0 Service URL and paste it into ACS URLs.
- Copy Identifier and paste it into Entity ID.
- Select Save.
You added the application to your Ping Identity account. You need to configure the application to enable the Single Sign-On.
Warning Do not close down the Acunetix 360 tab. You need to add more information, such as Idp Identifier, to Acunetix 360 from the Ping Identity in the following steps. |
How to configure Ping Identity Single Sign-On Integration with SAML
- From the Applications page, select Acunetix 360.
- Next to the Acunetix 360, turn on the toggle.
- Select the Attribute Mappings tab, then edit (the pencil icon).
- For the saml_subject attribute, select Email Address from the PingOne Mappings drop-down.
- Select + Add.
- Add FirstName to the Attributes field and choose Given Name from the PingOne Mappings drop-down.
- Select + Add.
- Add LastName to the Attributes field and choose Family Name from the PingOne Mappings drop-down.
- Select + Add.
- Add OnlySsoLogin to the Attributes field and choose OnlySsoLogin from the PingOne Mappings drop-down. (For further information about adding an attribute, see How to add OnlySsoLogin attribute to Ping Identity.)
- Select Save.
- Select the Configuration tab, then edit (the pencil icon).
- Choose the Sign Assertion and Response option.
- Select Save.
- From the Connection Details,
- Copy the Issuer ID information, switch to the Acunetix 360 tab, and paste the ID information into Idp Identifier.
- Copy the Single Signon Service, switch to the Acunetix 360 tab, and paste it into SAML 2.0 Endpoint.
- Select Download Signing Certificate to download the certificate (X509 PEM (.crt).)
- Go to your download location and open the certificate with a text editor.
- Copy the X509Certificate information, switch to the Acunetix 360 tab, and paste it into X.509 Certificate.
- On the Acunetix 360's Configure Single Sign-On page, select one or all of the following options, if necessary:
- Enable Auto Provisioning: If enabled, an account will be automatically created for IdP-registered users when they first access Acunetix 360. To do so, you must complete the Email Address (required), FirstName, and LastName fields in the Attribute Statements on the IdP side.
- Require SAML assertions to be encrypted: If enabled, it prevents third parties from reading private data in transit from assertions.
There are two options:
- Generate a new certificate for me: Acunetix 360 generates a key pair. Invicti will keep a private key to decrypt received SAML messages and provide you with a certificate so that you can upload it on the IdP side.
- I have an existing certificate: You need to upload your certificate to Acunetix 360 by importing a decryption certificate from your files.
- Use Alternate Login Email: If enabled, this lets users use an alternative email for SSO. So, you can enter an alternative email on the New Member Invitation page while editing the user's details on the Team page.
- Select Save Changes on the Acunetix 360 tab to complete the integration.
Acunetix 360 informs you that the SSO configuration is saved.
How to add OnlySsoLogin attribute to Ping Identity
- From the main menu, select Identities > Attributes.
- Select + Add Attribute.
- From the Select Attribute Type page, select Declared, then Next.
- On the Set Attribute Properties page, enter OnlySsoLogin to the NAME field.
- On the Set Attribute Properties page, enter OnlySsoLogin to the DISPLAY NAME field.
- Select Save and Close.
To enable provisioning or auto provisioning, you need to create users and groups, and assign the group to your application.
Enabling provisioning on Ping Identity
There are two parts to enable this:
- Configuring Ping Identity
- Configuring Acunetix 360
Step 1. Configuring Ping Identity
There are three steps to configure Ping Identity.
- Add a user to Ping Identity
- Add the user to group
- Assign the group to application
1. Adding a user to Ping Identity
- Log in to Ping Identity.
- From the main menu, select Identities > Users.
- Select + Add User.
- Enter the necessary information, such as the given name and surname.
- Enter the email address of the users as the username in the Company Profile section.
- Enter True to the OTHER field.
- Select Save.
Information Users can create their own passwords. To do this, select Reset Password. The user receives an email to create a password. |
2. Adding user(s) to group
- From the main menu, select Identities > Groups.
- Select the + (plus) sign.
- Enter a friendly name for your group.
- Select Save.
- Select your group, and then Users.
- Select + Add Users Individually.
- From the All Users tab, select user(s) to add to the group.
- Select Save.
3. Assigning the group to application
- From the main menu, select Connections > Applications.
- Select your group.
- Select Access, then edit (the pencil icon).
- From the list of Groups, select your group.
- Select Save.
Step 2. Configuring Acunetix 360
Following the configuration on the Ping Identity side, you need to configure Acunetix 360 for provisioning.
Configuring Acunetix 360 for provisioning
- Log in to Acunetix 360.
- From the main menu, select Team > New Member Invitation.
- Complete the remainder of the fields, as described in How to add a new member in Invicti Enterprise.
- Select Provision new member with SSO.
- Select Provision.
After sending the invitation, the user can log in to Invicti Enterprise via SSO. For further information, How to Sign In Via Your Identity Provider.
Enabling auto provisioning on Ping Identity
You can allow users to log in to Invicti Enterprise by configuring Ping Identity. To do so, you need to follow the steps specified in Step 1. Configuring Ping Identity. Then, users can log in by using Initiate Single Sign-On URL specified by Ping Identity.