Support
Single Sign-On Providers

Configuring Ping Identity Single Sign-On Integration with SAML

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Ping Identity software provides federated identity management and intelligent access so users can connect securely to the cloud, mobile, and on-premises apps. The platform uses adaptive authentication and SSO for single-click access to all apps. This prevents security breaches and helps with the management of sensitive data.

  • Using Security Assertion Markup Language (SAML), a user can use their managed account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO). An Identity Provider (IdP) service provides administrators with a single place to manage all users and cloud applications. 
  • You don’t have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IdP service provides your users with a unified sign-on across all their enterprise cloud applications. 
  • Invicti Enterprise supports the SAML methods both IdP initiated and SP initiated.
  • You can also create a new user in Invicti Enterprise with the Enable Auto Provisioning option.

If you encounter any problem while setting up SSO integration, see Troubleshooting SSO Issues.

You have to use IdP-initiated SSO if you want to utilize Auto Provisioning.
If you will use SP-initiated SSO, please set the Name ID Format value to email address on the IdP side.

Single Sign-On Fields

This table lists and explains the Single Sign-On fields in the Configure Single Sign-On window.

Field Description
Enable Select this option to enable the single sign-on feature.
Enforce to authenticate only with single sign-on Enable this option so only administrator users can authenticate without single sign-on. Users can only sign in to Invicti Enterprise by using the email address that belongs to their employer.
IdP Identifier This is the SAML identity provider’s Identifier value.
SAML 2.0 Service URL This is the Consumer URL value (also called the SSO Endpoint or Recipient URL).
SAML 2.0 Endpoint This is the URL from your IdP’s SSO Endpoint field.
X.509 Certificate This is the X.509 certificate value.

 

How to add an application to Ping Identity

  1. Log in to your Ping Identity account.
  2. From the main menu, select Connections > Applications.
  3. From the Applications page, select the + (plus) sign.
  4. Enter your application name, then select SAML Application. (For this example, the application’s name is Invicti.)
  5. Select Configure when available after selecting the SAML Application.
  6. From the SAML Configuration, select Manually Enter.
  7. Open a separate tab and log in to Invicti Enterprise
  8. From Invicti’s main menu, select Settings > Single Sign-On.  
    1. Copy SAML 2.0 Service URL and paste it into ACS URLs.
    2. Copy Identifier and paste it into Entity ID.
    3. Select Save Changes.

You added the application to your Ping Identity account. You need to configure the application to enable the Single Sign-On.

Do not close down the Invicti Enterprise tab. You need to add more information, such as Idp Identifier, to Invicti Enterprise from the Ping Identity in the following steps.

How to configure Ping Identity Single Sign-On Integration with SAML
  1. From the Applications page, select Invicti.
  2. Next to the Invicti, turn on the toggle.
  3. Select the Attribute Mappings tab, then edit (the pencil icon).
    1. For the saml_subject attribute, select Email Address from the PingOne Mappings drop-down.
    2. Select + Add.
    3. Add FirstName to the Attributes field and choose Given Name from the PingOne Mappings drop-down.
    4. Select + Add.
    5. Add LastName to the Attributes field and choose Family Name from the PingOne Mappings drop-down.
    6. Select + Add.
    7. Add OnlySsoLogin to the Attributes field and choose OnlySsoLogin from the PingOne Mappings drop-down. (For further information about adding an attribute, see How to add OnlySsoLogin attribute to Ping Identity.)
    8. Select Save.
  4. Select the Configuration tab, then edit (the pencil icon).
  5. Choose the Sign Assertion and Response option.
  6. Select Save
  7. From the Connection Details, do the following:
    1. Copy the Issuer ID information, switch to the Invicti Enterprise tab, and paste the ID information into Idp Identifier.
    2. Copy the Single Signon Service, switch to the Invicti Enterprise tab, and paste it into SAML 2.0 Endpoint.
    3. Select Download Signing Certificate to download the certificate (X509 PEM (.crt).)
    4. Go to your download location and open the certificate with a text editor. 
    5. Copy the X509Certificate information, switch to the Invicti Enterprise tab, and paste it into X.509 Certificate.
  8. On Invicti Enterprise’s Configure Single Sign-On page, select one or all of the following options, if necessary:
    • Enable Auto Provisioning: If enabled, an account will be automatically created for IdP-registered users when they first access Invicti Enterprise. To do so, you must complete the Email Address (required), FirstName, and LastName fields in the Attribute Statements on the IdP side.
    • Require SAML assertions to be encrypted: If enabled, it prevents third parties from reading private data in transit from assertions. There are two options:
      • Generate a new certificate for me: Invicti generates a key pair. Invicti will keep a private key to decrypt received SAML messages and provide you with a certificate so that you can upload it on the IdP side.
      • I have an existing certificate: You need to upload your certificate to Invicti by importing a decryption certificate from your files.
    • Use Alternate Login Email: If enabled, this lets users use an alternative email for SSO. So, you can enter an alternative email on the New Member Invitation page while editing the user’s details on the Team page.
  9. Select Save Changes on the Invicti Enterprise tab to complete the integration.

Invicti Enterprise informs you that the SSO configuration is saved.

How to add OnlySsoLogin attribute to Ping Identity
  1. From the main menu, select Identities > Attributes
  2. Select + Add Attribute.
  3. From the Select Attribute Type page, select Declared, then Next.
  4. On the Set Attribute Properties page, enter OnlySsoLogin to the NAME field.
  5. On the Set Attribute Properties page, enter OnlySsoLogin to the DISPLAY NAME field.
  6. Select Save and Close.

To enable provisioning or auto provisioning, you need to create users and groups and assign the group to your application.

Enabling provisioning on Ping Identity

There are two parts to enable this:

  1. Configuring Ping Identity
  2. Configuring Invicti Enterprise

Step 1. Configuring Ping Identity

There are three steps to configure Ping Identity. 

  1. Add a user to Ping Identity
  2. Add the user to the group
  3. Assign the group to the application
1. Adding a user to Ping Identity
  1. Log in to Ping Identity.
  2. From the main menu, select Identities > Users.
  3. Select + Add User.
  4. Enter the necessary information, such as the given name and surname.
  5. Enter the email address of the users as the username in the Company Profile section.
  6. Enter True to the OTHER field.
  7. Select Save.

Users can create their own passwords. To do this, select Reset Password. The user receives an email to create a password.

2. Adding user(s) to the group
  1. From the main menu, select Identities > Groups.
  2. Select the + (plus) sign.
  3. Enter a friendly name for your group.
  4. Select Save.
  5. Select your group, and then Users.
  6. Select + Add Users Individually.
  7. From the All Users tab, select user(s) to add to the group.
  8. Select Save.
3. Assigning the group to the application
  1. From the main menu, select Connections > Applications.
  2. Select your group.
  3. Select Access, then edit (the pencil icon).
  4. From the list of Groups, select your group.
  5. Select Save.

Step 2. Configuring Invicti Enterprise

Following the configuration on the Ping Identity side, you need to configure Invicti Enterprise for provisioning.

Configuring Invicti Enterprise for provisioning
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Team > New Member Invitation.
  3. Complete the remainder of the fields, as described in How to add a new member in Invicti Enterprise.
  4. Select Provision new member with SSO.
  5. Select Provision.

After sending the invitation, the user can log in to Invicti Enterprise via SSO. For further information, How to Sign In Via Your Identity Provider.

Enabling auto provisioning on Ping Identity

You can allow users to log in to Invicti Enterprise by configuring Ping Identity. To do so, you need to follow the steps specified in Step 1. Configuring Ping Identity. Then, users can log in by using Initiate Single Sign-On URL specified by Ping Identity.