The following guide is to help the deployment of an Ping Identity SAML configuration as the authentication provider for Pyramid. Ping Identity is not that different to generic SAML, but there are some key aspects that are unique.
Note: This feature is only available with Enterprise licensing.
Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.
Ping Identity SAML Setup
Create a SAML Application
Login to the admin of Ping identity and go to Applications> Applications and click on the blue plus sign to create a new SAML application.
Provide the following details:
- Application Name: Pyramid SAML
- Application Type: SAML Application.
Click SAML Application and then set these values.
- SAML Configuration: Manually Enter
- ACS URLs: Your Pyramid URL with /login/callback on the end
- Entity ID: Pyramid
Access
Next enable the application as shown below.
Under access decide who should be able to access the application. If no settings are changed, all users should be able to access the application.
Attribute Mappings
Map saml_subject to any PingOne attribute that you would like to use.
Just note that the value that you send to Pyramid must match the external user ID set in Pyramid.
Setting the provider up in Pyramid
Click on your application> Overview tab in Ping to get the details to fill in the Pyramid provider form.
Then open authentication manager in the Pyramid admin console:
- In the Admin Console, click Security > Authentication.
- From the top-right of the page, click Change Provider.
The Authentication Provider page opens with the details of your current Authentication Provider displayed.
The Change Provider page opens. You will copy the details of your new authentication provider into this page, starting by selecting your Provider.
Take all the setup information from the previous steps above to fill in the form:
- Consumer URL: Your Pyramid URL with /login/callback on the end
- SAML Issuer: this is the Entity ID you setup under “Add Application continued”
- IDP URL: This is the “Single Sign-on Service” from the application overview > Connection details
- Logout URL: “Single logout Service” from the application overview > Connection details
- Certificate: Click Download Signing Certificate from the Connection Details section.
- External Id: Any user that you gave access to the application. It must match the value you mapped to the subject.
User Provisioning Setup
The Ping Identity SAML provider can be used for auto provisioning in Pyramid. If you want to use auto provisioning, you will need to set up the app and then specify its settings on the Provider Provisioning tab. For more information, see Ping User Provisioning.
Save your changes
Click Apply to start the provider change-over process. At this stage, the existing users (attached to the previous authentication system) need to be converted over.
Admins will be prompted to either:
- Delete all existing users and their local content. When users are deleted by this process, all their private data (the discoveries, publications, and so on that are stored in their My Content Folder) is "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed.
- Convert old users to the new provider (through the user conversion wizard), and keep their content
Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.
- Click here for a detailed explanation and walkthrough of User Conversion