Ping Identity Single Sign-on

This section explains how to configure SSO for authentication users with the PCE using Ping Identity as your Identity Provider (IdP).

Configure SSO for Ping Identity

Before you begin, make sure you have this information from your Ping Identity SSO account: 

  • x.509 certificate
  • Remote Login URL
  • Logout Landing URL
NOTE:

Your PCE user account must have Owner or Admin privileges to perform this task.

To configure the PCE for Ping Identity SSO: 

  1. From the PCE web console menu, choose Settings > SSO Config.
  2. Click Edit.
  3. Select SAML from the Select SSO method drop-down list and click Configure.

  4. Enter the following information:

    • SAML Identity Provider Certificate: Paste your Ping Identity x.509 certificate (in PEM text format).
    • Remote Login URL: Enter the Ping Identity Remote Login URL.
    • Logout Landing URL: Enter the Ping Identity Logout Landing URL.

  5. In the Information for Identity Provider section, make note of the following fields:

    • Issuer
    • NameID Format
    • Assertion Consumer URL
    • Logout URL

  6. Select the authentication method from the drop-down list:

    • Unspecified: Uses the IdP default authentication mechanism.

    • Password Protected Transport: Requires the user to log in with a password using a protected session.

  7. To require users to re-enter their login information to access Illumio (even if the session is still valid), check the Force Re-authentication checkbox. This allows users to log in to the PCE using a different login than their default computer login and is disabled by default.

    NOTE:

    When SSO is configured both in Illumio Core and for the IdP, the preferences in Illumio Core are used. When SSO is not configured in Illumio Core, the default IdP settings are used.

  8. Click Save.
  9. Log in to your Ping Identity account.
  10. Select the Applications tab and add the Illumio app.

  11. Click Edit and enter the following values you just noted from Illumio:

    • ACS URL: Enter the value from the Assertion Consumer URL field in the PCE web console.
    • Entity ID:  Enter the value from the Issuer field in the PCE web console.
    • Single Logout Endpoint: Enter the value from the Logout URL field in the PCE web console.
    • Single Logout Response Endpoint: Enter the value from the Logout URL field in the PCE web console.

  12. Click Continue to Next Step.

  13. You will now configure the SAML_SUBJECT attribute mapping. Under Advanced Attribute Mapping, next to the Name ID Format to send to SP, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  14. Click Save.

    Your PCE is now configured to use Ping Identity SSO for authenticating users with the PCE.