Configuring Ping Identity

Follow these steps:

1. Sign in as administrator to the Ping Identity administration portal (https://admin.pingone.com/web-portal/login).
2. Click the Applications tab.
   
3. Click Add Application.
4. Select SAML.
5. In the Application Details section, complete the fields and click Continue to Next Step.
   
6. On the Application Configuration page, click I have the SAML configuration.
7. In the Protocol Version field, select SAML v2.0.
   
   Tip: For fields not mentioned specifically in these steps, you can leave them blank or with default values, because they aren't needed for integration with Prysm.
8. In the Assertion Consumer Service (ACS) field, enter the string from the Callback URL field in Prysm Admin Portal. (See Step 6 of your Prysm configuration.)
9. In the Entity ID field, enter app.prysm.com. (See Step 11 of your Prysm configuration.)
10. In the Signing Algorithm field, select RSA_SHA256.
    
11. Click Continue to Next Step.
12. In the SSO Attribute Mapping section, map the following items in the Application Attribute fields to Identity Bridge Attributes. (Uncheck the As Literal check box for each item.)
    FirstName to First Name
    LastName to Last Name
    email to Email
    Groups to memberOf
    
    Tip: If any attributes listed here are not in Ping Identity, add them.
13. Also in the SSO Attribute Mapping section, add and map another item, as follows:
    1. Click the Add new attribute button.
    2. In the Application Attribute field, enter SAML_SUBJECT.
    3. In the Literal Value field, enter SAML_SUBJECT.
    4. On the SAML_SUBJECT line, click the Advanced button.
       The Advanced Attribute Options dialog box opens.
       
    5. In the Name ID format to send to SP field, type urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress or select it from the drop-down list.
    6. Click the Save button.
       The dialog box closes.
14. In the SSO Attribute Mapping section, click Save and Publish.
15. On the Review Setup page, download the file from the SAML Metadata field.
16. Click Finish.

Follow these steps:

1. Impersonate the account you want to configure.
2. In Admin Portal, click Identity Provider.
   
3. On the Identity Providers page, set the Enable SSO toggle to On.
4. In the Identity Provider field, select Ping Identity.
   When you select Ping Identity, the Protocol field is automatically set to SAML 2.0.
5. In the Auto Provisioning field, set the toggle to On or Off.
   On: When Auto Provisioning is On, users who attempt to sign in to Prysm for the first time see the Ping Identity sign in page. When they sign in to Ping Identity, Prysm automatically creates that user in Prysm.
   Off: When Auto Provisioning is Off, a Prysm administrator must create a user record for each user before that user signs in to Prysm for the first time. Then, when the user attempts to sign in to Prysm, she enters her Ping Identity sign in information and is able to access Prysm.
   Note: If you turn on Auto Provisioning, contact Prysm support at support@prysm.com. Prysm support must add your domain to a whitelist.
6. In the Callback URL field, verify that the URL matches the URL you entered in the Assertion Consumer Service (ACS) field in Step 8 of your Ping Identity configuration.
7. In the SPID field, leave the field empty.
8. In the Attach SAML Request field, set the toggle to On.
   When Attach SAML Request is On, the request to redirect to Ping Identity's sign in page is attached.
   
   Warning: If Attach SAML Request is set to OFF, the Ping Identity integration will not work correctly.
9. In the Entry Point field, enter the URL of the Ping Identity sign in page.
   This is the Location value from the node <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> in the SAML Metadata file you downloaded in Step 15 of your Ping Identity configuration.
10. In the Certificate field, from the SAML Metadata file you downloaded in Step 15 of your Ping Identity configuration, enter the X.509 Certificate (use the certificate located in the <md:KeyDescriptor use="signing"> node).
11. In the Issuer field, enter app.prysm.com. (See Step 9 of your Ping Identity configuration.)
12. In the Org_Admin field, map the group ID for Org Admins from your configuration of Ping Identity. (See Step 12 of your Ping Identity configuration.)
13. In the Basic_User field, map the group ID for Basic Users from your configuration of Ping Identity. (See Step 12 of your Ping Identity configuration.)
14. If the Auto-Provisioning toggle is set to On, the PAS User Field Name field is automatically set to IdP Attribute Name when a user is auto-provisioned.
15. In the First Name and Last Name fields, enter the values that you mapped in Step 12 of your Ping Identity configuration.
16. In the Groups field, enter the values that you mapped in Steps 12 and 13 of your Ping Identity configuration.
    For more information, see Associating Prysm permission groups and identity provider groups.
    Warning: Role mapping must be configured for at least one group.
17. In the Enforce SSO field, set the toggle to On or Off.
    On: When Enforce SSO is On, users can sign in only one way — with their Ping Identity credentials.
    Off: When Enforce SSO is Off, users can sign in two ways — with their Ping Identity credentials or with their Prysm credentials.
    Warning: Before you change this setting and click Save in the next step, be sure to test your IdP configuration with at least one user. If you click Save to convert all your users to IdP authentication without testing, and something in your configuration is not correct, you can lock all users out of their accounts.
18. Click Save.
19. To ensure a successful identity provider integration, move on to Step 3 and complete the entire Process for Configuring Identity Providers.