Ping Identity SAML Integration
This topic will assist you when configuring Agiloft with SAML using Ping Identity as the Identity Provider. For more information on Ping Identity configuration, see Ping Identity Help. It will give you enough information to establish the single sign-on connection between Ping and Agiloft, where Ping acts as the Identity Provider for SAML-based SSO. F or more detailed information on some of the steps in Agiloft , see SAML 2.0 SSO .
Prerequisites
Enable SAML in Agiloft
The full setup requires you to switch between Agiloft and Ping Identity, so open each one in its own browser window so you can easily switch between them.
First, in Agiloft:
- Click the Setup gear in the top-right corner and go to Access > Configure SAML 2.0 Single Sign-On.
- Go to the Service Provider Details tab.
- For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
- If you are using Agiloft's hosted service, the fields will be populated by Support.
- If you are using an in-house server where Agiloft is installed, see Generate a Keystore File, and refer to the further information in the SAML 2.0 SSO topic to populate the fields.
- For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
- Open the Identity Provider Details tab.
- Select "Skip the validation of Identity Provider Details while saving SAML configuration".
- Click Finish.
- Go to Setup > Access and click Download SAML 2.0 Service Provider Metadata. Save the files to your disk.
Add a SAML Application in Ping
To add a SAML application in Ping:
- Log into the Ping Admin Portal Dashboard and select Applications > Applications.
- Click the blue plus icon next to the Applications heading.
- Add an Application Name, a Description, and upload a logo.
- Select SAML Application and click Configure.
- Select Import Metadata, click "Select a file," and open the metadata file you downloaded in the previous section. This populates additional settings to make the connection work properly.
- Click Download Metadata and save the XML file for Ping.
- Click Save.
Continue Agiloft Setup
Back in Agiloft:
- Go to Setup > Access > Configure SAML 2.0 Single Sign-On.
- On the General tab:
- Select Enable SAML SSO.
- Select Create SAML IdP Authenticated user in Agiloft.
- Select Employees in the drop-down to add users to the Table/Subtable shown below.
- Select the last checkbox only if you want to synchronize the user attributes in
Agiloft with those in Salesforce every time a user logs in. If you leave this blank, the user's attributes will only be synchronized when the user is first created.
- Go to the Identity Provider Details tab.
- In the "SAML Metadata XML contents obtained from your IdP" field, paste the contents of the metadata XML file from Ping Identity. This will automatically populate the additional Identity Provider Details fields when the SAML wizard is reopened.
- Click Finish.
Complete Ping Setup
Return to Ping Identity.
- Under Attribute Mappings, edit saml_subject and select the PingOne attribute that will be sent as the NameId to Agiloft.
- If you chose to synchronize user attributes, add any other attributes you want to populate and keep in sync.
Force SSO Login
Finally, to make sure users log in with SSO after the transition, manually set new passwords for users who should use SSO instead. To do so: Go to the People table and select every user who should use SSO from this point on. Don't select every single user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO. Next, go to Setup > System > Manage Global Variables and check the Customized Variables tab for the Hotlink Type variable. If it has been customized, edit it and reset it to the default value of STANDARD. You might also notice a setting in the People table called SSO Authentication Method. This field is set automatically by the system when you enable SSO and should not be modified.