PingOne

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. Virtual Appliance uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Configure Connection

To add and configure enterprise app properties for the Virtual Appliance connection do the following:

  1. Create PingOne App.
  2. Add IdP Template.
  3. Add the X-509 Certificate.
  4. Configure Single Sign On.
  5. Configure Provisioning.
  6. Complete IdP Settings.
  7. JIT Provisioning.
  8. Add Virtual Appliance Admins.

1. Create PingOne App

  1. Log into your PingOne Admin Portal.
  2. Go to Applications then Application Catalog.

    Applications menu item showing the Application Catalog sub option selected.

  3. Search for SCIM, and select an unused Ping SCIM SaaS Provisioner option.
  4. Enter a Name for your app then select Next.
  5. Add the following attribute on the Map Attributes tab.
    1. SAML_Subject / Username
    2. FirstName / Given Name
    3. LastName / Family Name
    4. Email / Email Address
  6. Select Next.
  7. Add the desired Groups, then select Save.
  8. Select View in Applications list.

    View in Applications list message to the right of the created App.

  9. Select Enable Advanced Configuration, then Enable in the modal.

    Enable Advanced Configuration bubble.

PingOne Attributes window showing the mapped attributes and the Next button in the lower right.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

When configuring this IdP through Virtual Appliance, use the Custom option in the IdP Template drop-down.

  1. In a separate browser tab, open your Virtual Appliance Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template drop-down.
  5. Select SAML2 in the Authentication Protocol section.
  6. For Provisioning it is assumed that JIT will be used for most Virtual Appliance applications. Check the box for JIT provisioning.

    When you consider how to set up your IdP configuration be aware that SCIM provisioning requires an open connection from the IdP provider into the Virtual Appliance instance gateway container. We recommend JIT provisioning when setting up your IdP connection.

  7. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  8. Scroll down and select the desired enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings window showing the different fields and the Service provider information section.

3. Add the X-509 Certificate

  1. In PingOne, select the Configuration tab.
  2. Select Download Signing Certificate.
  3. Select the X509 PEM (.crt) option.
  4. Open the file in your preferred text editor.
  5. Copy the certificate body, including the Begin / End Certificate headers, and paste it into the Admin Console X-509 Certificate field.

    SAML Certificate opened in Notepad, showing the body of the content highlighted, excluding the being and end certificate lines.

IdP Settings template showing the X509 cert and other fields configured.

4. Configure Single Sign On

  1. Select the Edit icon in the upper right of the Configuration tab.
  2. Copy the Admin Console Reply URL (ACS) and paste it into the PingOne ACS URLS field.
  3. Copy the Admin Console Identifier (Entity ID) and paste it into the PingOne Entity ID field.
  4. Copy the Admin Console Relay State and paste it into the PingOne Target Application URL field.
  5. Select Save in PingOne.
  6. Copy the PingOne Issuer ID and paste it into the Admin Console Issuer URL field.
  7. Copy the PingOne Initiate Single Sign-On URL and paste it into the Admin Console SSO URL field.
  8. Select Apply in the Admin Console.
  9. Select Save in Admin Console.

PingOne app's Configuration tab with the URLs and copy icons displaying.

5. Configure Provisioning

If you are configuring PingOne using JIT Provisioning skip to the 6. Complete IdP Settings section below.

SCIM Provisioning

Create Provisioning Connection

  1. In PingOne, expand the Integrations left-side menu option and select Provisioning.

    Integrations side menu showing the Provisioning option.

  2. Select the plus icon next to Provisioning and select New Connection.

    Provisioning add option showing New Connection selected.

  3. Select the Identity Store option.
  4. Select the SCIM Outbound option, then select Next.
  5. Give the connection a unique name, then select Next.
  6. In the Virtual Appliance Admin Console, select the PingOne IdP in the Identity Provider Settings section, then select Modify.
  7. Copy the SCIM Tenant URL and paste it into the PingOne SCIM Base URL field.
  8. Select Cancel on the modal in the Admin Console to close it out.
  9. Select OAuth 2 Bearer Token in the PingOne Authentication Method dropdown.

SCIM Configuration tab showing the different fields.

Apply SCIM Token

  1. In the Virtual ApplianceGeneral settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration in the drop-down menu.
  3. Select Generate SCIM Token.

    SCIM section showing the IdP selected in the drop-down, and the Generate SCIM Token button to the right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Select Proceed.
  5. Copy the token, close the modal, and select Save at the top-right corner of General settings.
  6. Paste the token in PingOne Oauth Access Token field.
  7. Select Test Connection to verify connectivity.
  8. Select Next and adjust the preferences as needed.
  9. Select Save
  10. Toggle the bubble in the upper-right of the Overview tab to enable the connection.

SCIM Overview tab showing the toggle on bubble in the upper-right.

Create Rule

  1. On the Provisioning tab, select the plus icon next to Provisioning and select New Rule.

    Provisioning add option expanded with the New Rule option selected.

  2. Give the rule a unique name.
  3. Select Create Rule.
  4. Select the plus icon to the right of the Provisioning connection created earlier.
  5. Select Save
  6. In the Configuration window, select the User Filter option, then the edit icon next to User Filter.

    User Filter showing the edit icon.

  7. Under User Filter:

    1. Select Any, for Any of the conditions are true.
    2. In the Attribute dropdown select Enabled.
    3. Operator should be Equals.
    4. In the Value dropdown select true.
  8. Select Save
  9. To provision groups:
    1. Select the Group Provisioning option in the Configuration window.
    2. Select the Add Groups button.
    3. Search for and select the groups you wish to provision.
    4. Select Save
    5. In the Overwrite Group Memberships modal, select I understand and want to continue.
    6. Select Save
  10. In the Rule window, toggle the bubble in the upper-right to enable the rule.

This starts provisioning and displays the results in the Sync Summary window.

User filter showing the user rules.

6. Complete IdP Settings

  1. On the Admin Console General page, navigate back to the Identity Provider Settings section.
  2. To have Virtual Appliance prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If this option is not selected, the user must manually navigate to the IdP login screen to sign in.

  3. We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.

    General tab's Identity Provider Settings section with the IdP option selected and two additonal options selected below the IdP.

  4. The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
  5. Select Save in the top-right corner of the General page.

7. JIT Provisioning

These steps are only for configurations using JIT Provisioning. If you have already configured PingOne using SCIM Provisioning, skip to 8. Add Virtual Appliance Admins.

JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your Virtual Appliance instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.
  3. This login attempt will fail and return you to the login page.

    This is expected. With JIT, this action triggers the user creation in the instance.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users.

8. Add Virtual Appliance Admins

For steps on assigning users and roles to the Virtual Appliance Admin Console reference Admin Console Users.