Page tree

Ping Identity SAML Integration

This topic will assist you when configuring  Agiloft with SAML using Ping Identity as the Identity Provider. For more information on Ping Identity configuration, see Ping Identity Help.  It will give you enough information to establish the single sign-on connection between Ping and Agiloft, where Ping acts as the Identity Provider for SAML-based SSO. For more detailed information on some of the steps in  Agiloft, see SAML 2.0 SSO.

Prerequisites

These steps require a Ping Identity account with administrator access. You can sign up for a free trial account to use for testing. You also need admin access to your  Agiloft Knowledgebase.

Enable SAML in Agiloft

The full setup requires you to switch between Agiloft and Ping Identity, so open each one in its own browser window so you can easily switch between them.

First, in  Agiloft:

  1. Click the Setup gear in the top-right corner and go to Access > Configure SAML 2.0 Single Sign-On.
  2. Go to the Service Provider Details tab.
    1. For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
      1. If you are using Agiloft's hosted service, the fields will be populated by Support.
      2. If you are using an in-house server where Agiloft is installed, see Generate a Keystore File, and refer to the further information in the SAML 2.0 SSO topic to populate the fields.
  3. Open the Identity Provider Details tab.
    1. Select "Skip the validation of Identity Provider Details while saving SAML configuration".
    2. Click Finish.
  4. Go to Setup > Access and click Download SAML 2.0 Service Provider Metadata. Save the files to your disk.

Add a SAML Application in Ping

To add a SAML application in Ping:

  1. Log into the Ping Admin Portal Dashboard and select Applications > Applications.  
  2. Click the blue plus icon next to the Applications heading.
  3. Add an Application Name, a Description, and upload a logo.
  4. Select SAML Application and click Configure.
  5. Select Import Metadata, click "Select a file," and open the metadata file you downloaded in the previous section. This populates additional settings to make the connection work properly.
  6. Click Download Metadata and save the XML file for Ping.
  7. Click Save.

Continue Agiloft Setup

Back in  Agiloft:

  1. Go to Setup > Access > Configure SAML 2.0 Single Sign-On.
  2. On the General tab:
    1. Select Enable SAML SSO.
    2. Select Create SAML IdP Authenticated user in Agiloft.
    3. Select Employees in the drop-down to add users to the Table/Subtable shown below.
    4. Select the last checkbox only if you want to synchronize the user attributes in Agiloft with those in Salesforce every time a user logs in. If you leave this blank, the user's attributes will only be synchronized when the user is first created. 
      General tab options
  3. Go to the Identity Provider Details tab.
  4. In the "SAML Metadata XML contents obtained from your IdP" field, paste the contents of the metadata XML file from Ping Identity. This will automatically populate the additional Identity Provider Details fields when the SAML wizard is reopened. 
  5. Click Finish. 

Complete Ping Setup

Return to Ping Identity.

  1. Under Attribute Mappings, edit saml_subject and select the PingOne attribute that will be sent as the NameId to  Agiloft.
  2. If you chose to synchronize user attributes, add any other attributes you want to populate and keep in sync.

Force SSO Login

Finally, to make sure users log in with SSO after the transition, manually set new passwords for users who should use SSO instead. To do so:

  1. Go to the People table and select every user who should use SSO from this point on.

    Don't select every single user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO.

     

  2. Click Mass Edit, or Edit Fields, in the action bar.
  3. Select the Password field, then click Next to proceed to the Update tab.
  4. Select the Standard text option and leave the value blank.
  5. Click Next, then Finish.
  6. Now, go to Setup Employees and go to the Layout tab. If you will use SSO for every user in the system, including external users, go to Setup People instead.
  7. Remove the Password field from the layout. This prevents users from manually setting a new password and potentially using it to log in instead of SSO.

Next, go to Setup > System > Manage Global Variables and check the Customized Variables tab for the Hotlink Type variable. If it has been customized, edit it and reset it to the default value of STANDARD.

You might also notice a setting in the People table called SSO Authentication Method. This field is set automatically by the system when you enable SSO, and should not be modified.