Page tree
Skip to end of metadata
Go to start of metadata

Ping Identity SAML Integration

This topic will assist you when configuring  Agiloft with SAML using Ping Identity as the Identity Provider. For more information on Ping Identity configuration, see Ping Identity Help.  It will give you enough information to establish the single sign-on connection between Ping and Agiloft, where Ping acts as the Identity Provider for SAML-based SSO. For more detailed information on some of the steps in  Agiloft, see SAML 2.0 SSO.

Prerequisites

These steps require a Ping Identity account with administrator access. You can sign up for a free trial account to use for testing. You also need admin access to your  Agiloft Knowledgebase.

Add a SAML Application in Ping

The full setup requires you to switch between Agiloft and Ping Identity, so open each one in its own browser window so you can easily switch between them.

To add a SAML application in Ping:

  1. Log into the Ping Admin Portal Dashboard, and select the Applications tab.  
  2. In the My Applications list, select Add Application > New SAML Application.
  3. Add an Application Name, a Description, and upload a logo.
  4. Click Continue to Next Step.
  5. In the Application Configuration screen, with "I have the SAML configuration" selected, download the SAML Metadata to your disk. 
  6. Open the metadata file in a text editor such as Notepad++ and copy the contents. 
  7. Leave this window open while you configure the SAML wizard in  Agiloft.

Enable SAML in  Agiloft

  1. Click the Setup gear in the top-right corner and go to Access > Configure SAML 2.0 Single Sign-On.
  2. In the General tab:
    1. Select Enable SAML SSO.
    2. Select Create SAML IdP Authenticated user in Agiloft.
    3. Select Employees in the drop-down to add users to the Table/Subtable shown below.
    4. Select the last checkbox only if you want to synchronize the user attributes in Agiloft with those in Salesforce every time a user logs in. If you leave this deselected, the user's attributes will only be synchronized when the user is first created. 
      General tab options
  3. Select the Service Provider Details tab.
    1. For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
      1. If you are using Agiloft's hosted service, the fields will be populated by Support.
      2. If you are using an in-house server where Agiloft is installed,  see Generate a Keystore File, and refer to the further information in the SAML 2.0 SSO topic to populate the fields.
  4. Open the Identity Provider Details tab.
    1. In the "SAML Metadata XML contents obtained from your IdP" field, paste the contents of the metadata XML file from Ping Identity. This will automatically populate the additional Identity Provider Details fields when the SAML wizard is reopened. 
    2. Click Finish. 
  5. Download the Agiloft X.509 Certificate and SAML 2.0 Service Provider Metadata files and and save them to your disk. 
  6. Click Configure SAML 2.0 Single Sign-On to reopen the SAML configuration wizard. 
  7. Leave the Service Provider Details tab open while you continue with the steps below. 

Add  Agiloft Details in Ping Identity

In Ping Identity:

  1. In the Ping Application setup window, ensure that the Protocol Version is SAML v 2.0.
  2. Click Select File and locate the  Agiloft XML file. When you upload the file, the Assertion Consumer Service (ACS) and Entity ID fields are populated automatically. 
  3. In Application URL, enter the base URL for the  Agiloft knowledgebase. 
  4. Next to Primary Verification Certificate, click Choose File and locate the  Agiloft certificate. 
  5. Next to Signing, select Sign Response.
  6. For the Signing Algorithm, select RSA_SHA256.
  7. Click Continue to Next Step. 
  8. Click Save & Publish. 

Test the Connection

In Ping Identity, test the connection:

  1. To test the IdP-initiated login, in the Applications menu, select Enabled > Yes for the application you just created.  
    1. Click the arrow to the right of the application. 
    2. Select the "Initiate Single Sign-On (SSO) URL"
    3. Paste the URL into your browser. It will open an IdP initiated login to the knowledgebase, with your admin user as a newly created user. 
  2. To test the  Agiloft-initiated login, point your browser to: https://{server}/gui2/samlssologin.jsp?project={kbName}, where {server} is the IP Address or FQDN of the server hosting the Agiloft instance and kbName is replaced by the name of your knowledgebase. 
    1. This URL forwards the login assertion to the IdP. You will be directed to the Ping Identity SAML login page. 

    2. If the user does not exist in the ADFS server, they will automatically be provisioned once ADFS authenticates the user successfully if you selected Create SAML IdP Authenticated user in Agiloftduring the setup.
    3. If you are already logged in and authenticated, you will be forwarded directly to the Agiloft interface.

Related articles