You are here:

Ping SAML

The following guide is to help the deployment of an Ping Identity SAML configuration as the authentication provider for Pyramid. Ping Identity is not that different to generic SAML, but there are some key aspects that are unique.

Note: This feature is available with Enterprise licensing only.

Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.

Ping Identity SAML Setup

Create a SAML Application

Login to the admin of Ping identity and go to Applications> Applications and click on the blue plus sign to create a new SAML application.

Provide the following details:

Application Name: Pyramid SAML
Application Type: SAML Application.

Click SAML Application and then set these values.

SAML Configuration: Manually Enter
ACS URLs: Your Pyramid URL with /login/callback on the end
Entity ID: Pyramid

Access

Next enable the application as shown below.

Under access decide who should be able to access the application. If no settings are changed, all users should be able to access the application.

Attribute Mappings

Map saml_subject to any PingOne attribute that you would like to use.

Just note that the value that you send to Pyramid must match the external user ID set in Pyramid.

Setting the provider up in Pyramid

Click on your application> Overview tab in Ping to get the details to fill in the Pyramid provider form.

Then open authentication manager in the Pyramid admin console: Pyramid Admin>Security>Authentication, click the Change Provider button.

Consumer URL: Your Pyramid URL with /login/callback on the end
SAML Issuer: this is the Entity ID you setup under “Add Application continued”
IDP URL: This is the “Single Sign-on Service” from the application overview > Connection details
Logout URL: “Single logout Service” from the application overview > Connection details
Certificate: Click on Download Signing Certificate from the Connection Details section.
External Id: Any user that you gave access to the application. It must match the value you mapped to the subject.

User Provisioning Setup

The Ping Identity SAML provider can be used for auto provisioning in Pyramid. Click here for more details.

Save your changes

Click Apply to start the provider change over process. At this stage, the existing users attached to the previous authentication system need to be converted over.

Admins will be prompted to either:

Delete all existing users and delete their content
Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.

For a detailed explanation and walk-through, click here to see User Conversion

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work