PingOne

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. PrinterLogic SaaS uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Implementation

If you do not have the service provider's (SP) SSO URL for the application (generally a SAML application that already exists in your organization), you will need to configure the necessary SAML settings for the application to add the application to PingOne.

If you are using the Google Identity Bridge, you cannot add Google applications using this method.

Configure Connection

To add and configure enterprise app properties for the PrinterLogic SaaS connection do the following:

  1. Create PingOne App.
  2. Add IdP Template.
  3. Add the X-509 Certificate.
  4. Configure Single Sign On.
  5. Configure Provisioning.
  6. SSO Attribute Mapping.
  7. Complete IdP Settings.
  8. JIT Provisioning.
  9. Add PrinterLogic SaaS Admins.

1. Create PingOne App

  1. Log into your PingOne Admin Portal. (https://admin.pingone.com/web-portal/login)
  2. Go to Applications then My Applications then SAML.

  3. Select Add Application then Search Application Catalog.

    The Search Application Catalog option under the expanded Add Application drop-down in the lower left.

  4. Search for SCIM, and select an unused Ping SCIM SaaS Provisioner option.
  5. Select Setup in the lower-right.

Application catalog window showing the SCIM SaaS Provisioner option and the setup button.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the PrinterLogic SaaS Admin Console and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

When configuring this IdP through PrinterLogic SaaS, use the Custom option in the IdP Template drop-down.

  1. In a separate browser tab, open your PrinterLogic SaaS Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template drop-down.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section if you are using SCIM, leave the JIT option unchecked.

    By default, it is assumed you are using SCIM for provisioning. Only select JIT if SCIM is not being used.

  7. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  8. Scroll down and select the desired enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings window showing the different fields and the Service provider information section.

3. Add the X-509 Certificate

  1. In the 1. SSO Instructions section, select the download link next to the Signing Certificate drop-down.

    SCIM Application window showing the app's SSO instructions information, and the Download option in the upper right.

  2. Open the file in your preferred text editor.

  3. Copy the certificate body, including the Begin / End Certificate headers, and paste it into the PrinterLogic SaaS X-509 Certificate field.

    SAML Certificate opened in Notepad, showing the body of the content highlighted, excluding the being and end certificate lines.

IdP Settings template showing the X509 cert and other fields configured.

4. Configure Single Sign On

  1. Copy the following URL and paste it in your PrinterLogic SaaS SSO URL field:

    Copy Code 
    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=
  2. Copy the PingOne IdP ID and paste it after the idpid= portion at the end of the SSO URL.
  3. Copy the same PingOne IdP ID and paste it into the PrinterLogic SaaS Issuer ID field.
  4. Copy the PingOne Issuer URL and paste it into the PrinterLogic SaaS Issuer URL field.
  5. Select Continue to Next Step.
  6. Copy the PrinterLogic SaaS Reply URL (ACS) and paste it into the PingOne ACS URL field.
  7. Copy the PrinterLogic SaaS Identifier (Entity ID) and paste it into the PingOne Entity ID field.
  8. Copy the PrinterLogic SaaS Relay State and paste it into the PingOne Target Resource field.

PingOne configuration window showing the different URLs and fields, and the Set Up Provisioning option at the bottom.

5. Configure Provisioning

If you are configuring PingOne using JIT Provisioning select Continue to Next Step in the PingOne portal, and skip to the 6. SSO Attribute Mapping section below.

SCIM Provisioning

Enable SCIM Provisioning

  1. In PingOne, scroll down to the PingOne dock URL section and check the box for Set Up Provisioning.

    Connection Configurations window withthe Set Up Provisioning checkbox enabled.

  2. Select Continue to Next Step.
  3. On the 3. Provisioning Instructions window select Continue to Next Step.
  4. Copy the PrinterLogic SaaS SCIM Tenant and paste it into the PingOne SCIM_URL field.
  5. In the AUTHENTICATION_METHOD drop-down select OAuth 2 Bearer Token.
  6. Select Apply in PrinterLogic SaaS.
  7. Select Save at the top-right corner of the General page.

Application Configuration section showing the SCIM fields.

Generate / Apply SCIM Token

  1. In the PrinterLogic SaaSGeneral settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration in the drop-down menu.

  3. Select Generate SCIM Token.

    SCIM section showing the IdP selected in the drop-down, and the Generate SCIM Token button to the right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Select Proceed.
  5. Copy the token, close the modal, and select Save at the top-right corner of General settings.
  6. Paste the token in PingOne OAUTH_ACCESS_TOKEN field.
  7. Select Continue to Next Step in PingOne.

6. SSO Attribute Mapping

  1. Scroll to the bottom of the PingOne screen and select Add New Attribute.
  2. Add the four attributes listed below.
    1. givenName (sso) / First Name.
    2. familyName (sso) / Last Name.
    3. Login (sso) / SAML_SUBJECT.
    4. email (sso) / Email (Work).
  3. Select Continue to Next Step in the lower-right.
  4. If desired, give your app a different Icon, Name, Description, and Category.
  5. Select Continue to Next Step in the lower-right.
  6. Add any Groups you would like to the app. (SCIM option, JIT does not support groups)
  7. Select Continue to Next Step in the lower-right.
  8. Review the data on the screen, then select Finish.

Attribute window showing the Add New Attribute button and the four added values.

7. Complete IdP Settings

  1. On the PrinterLogic SaaS General page, navigate back to the Identity Provider Settings section.

  2. To have PrinterLogic SaaS prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If this option is not selected, the user must manually navigate to the IdP login screen to sign in.

  3. We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.

    General tab's Identity Provider Settings section with the IdP option selected and two additonal options selected below the IdP.

  4. The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
  5. Select Save in the top-right corner of the General page.

8. JIT Provisioning

These steps are only for configurations using JIT Provisioning. If you have already configured PingOne using SCIM Provisioning, skip to 9. Add PrinterLogic SaaS Admins.

JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your PrinterLogic SaaS instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.

  3. This login attempt will fail and return you to the PrinterLogic SaaS login page.

    This is expected. With JIT, this action triggers the user creation in PrinterLogic SaaS.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users .

9. Add PrinterLogic SaaS Admins

For steps on assigning users and roles to the PrinterLogic SaaS Admin Console reference Admin Console Users .