Page tree
Skip to end of metadata
Go to start of metadata

Ping Identity SAML Integration

This topic will assist you when configuring  Agiloft with SAML using Ping Identity as the Identity Provider. For more information on Ping Identity configuration, see Ping Identity Help.  It will give you enough information to establish the single sign-on connection between Ping and Agiloft, where Ping acts as the Identity Provider for SAML-based SSO. For more detailed information on some of the steps in  Agiloft, see SAML 2.0 SSO.

Prerequisites

  • A Ping Identity account, and administrator access. You can sign up for a free trial account to use for testing.
  • Administrator access to your  Agiloft knowledgebase.

The full setup below will require you to go between  Agiloft and Ping Identity, so you must have your KB and your Ping Identity login open at the same time. 

Add a SAML Application in Ping

  1. Log into the Ping Admin Portal Dashboard, and select the Applications tab.  
  2. In the My Applications list, select Add Application > New SAML Application.
    1. Add an Application Name, a Description, and upload a logo.
    2. Click Continue to Next Step.
  3. In the Application Configuration screen, with "I have the SAML configuration" selected, download the SAML Metadata to your disk. 
  4. Open the metadata file in a text editor such as Notepad++ and copy the contents. 
  5. Leave this window open while you configure the SAML wizard in  Agiloft.

Enable SAML in  Agiloft

  1. Navigate to Setup > Access > Configure SAML 2.0 Single Sign-On.
  2. In the General tab...
    1. Select Enable SAML SSO.
    2. Select Create SAML IdP Authenticated user in Agiloft.
    3. Select Employees in the drop-down to add users to the Table/Subtable shown below.
    4. Select the last checkbox only if you want to synchronize the user attributes in Agiloft with those in Salesforce every time a user logs in. If you leave this deselected, the user's attributes will only be synchronized when the user is first created. 
  3. Select the Service Provider Details tab.
    1. For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
      1. If you are using Agiloft's hosted service, the fields will be populated by Support.
      2. If you are using an in-house server where Agiloft is installed,  see Generate a Keystore File, and refer to the further information in the SAML 2.0 SSO topic to populate the fields.
  4. Open the Identity Provider Details tab.
    1. In the "SAML Metadata XML contents obtained from your IdP" field, paste the contents of the metadata XML file from Ping Identity. This will automatically populate the additional Identity Provider Details fields when the SAML wizard is reopened. 
    2. Click Finish. 
    3. Download the Agiloft X.509 Certificate and SAML 2.0 Service Provider Metadata files and and save them to your disk. 
  5. Reopen the SAML Configuration wizard. 
  6. Leave the Service Provider Details tab open while you continue with the steps below. 

Add  Agiloft Details in Ping Identity

  1. In the Ping Application setup window, ensure that the Protocol Version is SAML v 2.0.
  2. Click Select File and locate the  Agiloft XML file.
  3. When you upload the file, the Assertion Consumer Service (ACS) and Entity ID fields will be populated. 
  4. In Application URL, enter the base URL for the   Agiloft knowledgebase. 
  5. Click Choose File next to Primary Verification Certificate, and locate the  Agiloft certificate. 
  6. Click Continue to Next Step. 
  7. Click Save & Publish. 

Test the Connection

  1. To test the IdP-initiated login, in the Applications menu, select Enabled > Yes for the application you just created.  
    1. Click the arrow to the right of the application. 
    2. Select the "Initiate Single Sign-On (SSO) URL"
    3. Paste the URL into your browser. It will open an IdP initiated login to the knowledgebase, with your admin user as a newly created user. 
  2. To test the  Agiloft-initiated login, point your browser to: https://{server}/gui2/samlssologin.jsp?project={kbName}, where {server} is the IP Address or FQDN of the server hosting the Agiloft instance and kbName is replaced by the name of your knowledgebase. 
    1. This URL forwards the login assertion to the IdP. You will be directed to the Ping Identity SAML login page. 

    2. If the user does not exist in the ADFS server, they will automatically be provisioned once ADFS authenticates the user successfully if you selected Create SAML IdP Authenticated user in Agiloft during the setup.
    3. If you are already logged in and authenticated, you will be forwarded directly to the Agiloft interface.

  • No labels