Last updated: November 14, 2024
PingOne
An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. Virtual Appliance uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.
If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.
Configure Connection
To add and configure enterprise app properties for the Virtual Appliance connection do the following:
- Create PingOne App.
- Add IdP Template.
- Add the X-509 Certificate.
- Configure Single Sign On.
- Configure Provisioning.
- Complete IdP Settings.
- JIT Provisioning.
- Add Virtual Appliance Admins.
1. Create PingOne App
- Log into your PingOne Admin Portal.
- Search for SCIM, and select an unused Ping SCIM SaaS Provisioner option.
- Enter a Name for your app then select Next.
- Add the following attribute on the Map Attributes tab.
- SAML_Subject / Username
- FirstName / Given Name
- LastName / Family Name
- Email / Email Address
- Select Next.
- Add the desired Groups, then select Save.
-
Select View in Applications list.
-
Select Enable Advanced Configuration, then Enable in the modal.
Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the and access the service provider information.
If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.
2. Add IdP Template
When configuring this IdP through Virtual Appliance, use the Custom option in the IdP Template drop-down.
- In a separate browser tab, open your Virtual Appliance Admin Console and sign in.
- Select Tools Settings General, and scroll down to the Identity Provider Settings section.
- Select IdP, and then select Add.
- Select the identity provider you want to configure in the IdP Template drop-down.
- Select SAML2 in the Authentication Protocol section.
-
For Provisioning it is assumed that JIT will be used for most Virtual Appliance applications. Check the box for JIT provisioning.
When you consider how to set up your IdP configuration be aware that SCIM provisioning requires an open connection from the IdP provider into the Virtual Appliance instance gateway container. We recommend JIT provisioning when setting up your IdP connection.
- In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
- Scroll down and select the desired enable setting(s).
- Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
- Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
- Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.
Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.
3. Add the X-509 Certificate
4. Configure Single Sign On
- Select the Edit icon in the upper right of the Configuration tab.
- Copy the Admin Console Reply URL (ACS) and paste it into the PingOne ACS URLS field.
- Copy the Admin Console Identifier (Entity ID) and paste it into the PingOne Entity ID field.
- Copy the Admin Console Relay State and paste it into the PingOne Target Application URL field.
- Select Save in PingOne.
- Copy the PingOne Issuer ID and paste it into the Admin Console Issuer URL field.
- Copy the PingOne Initiate Single Sign-On URL and paste it into the Admin Console SSO URL field.
- Select Apply in the Admin Console.
- Select Save in Admin Console.
5. Configure Provisioning
If you are configuring PingOne using JIT Provisioning skip to the 6. Complete IdP Settings section below.
SCIM Provisioning
Create Provisioning Connection
-
In PingOne, expand the Integrations left-side menu option and select Provisioning.
-
Select the plus icon next to Provisioning and select New Connection.
- Select the Identity Store option.
- Select the SCIM Outbound option, then select Next.
- Give the connection a unique name, then select Next.
- In the Virtual Appliance Admin Console, select the PingOne IdP in the Identity Provider Settings section, then select Modify.
- Copy the SCIM Tenant URL and paste it into the PingOne SCIM Base URL field.
- Select Cancel on the modal in the Admin Console to close it out.
- Select OAuth 2 Bearer Token in the PingOne Authentication Method dropdown.
Apply SCIM Token
- In the Virtual ApplianceGeneral settings, select the SCIM option in the Identity Provider Settings section.
- Select your IdP configuration in the drop-down menu.
-
Select Generate SCIM Token.
Generating a SCIM token invalidates any previous tokens for that IdP.
- Select Proceed.
- Copy the token, close the modal, and select Save at the top-right corner of General settings.
- Paste the token in PingOne Oauth Access Token field.
- Select Test Connection to verify connectivity.
- Select Next and adjust the preferences as needed.
- Select Save
- Toggle the bubble in the upper-right of the Overview tab to enable the connection.
Create Rule
-
On the Provisioning tab, select the plus icon next to Provisioning and select New Rule.
- Give the rule a unique name.
- Select Create Rule.
- Select the plus icon to the right of the Provisioning connection created earlier.
- Select Save
-
In the Configuration window, select the User Filter option, then the edit icon next to User Filter.
-
Under User Filter:
- Select Any, for Any of the conditions are true.
- In the Attribute dropdown select Enabled.
- Operator should be Equals.
- In the Value dropdown select true.
- Select Save
- To provision groups:
- Select the Group Provisioning option in the Configuration window.
- Select the Add Groups button.
- Search for and select the groups you wish to provision.
- Select Save
- In the Overwrite Group Memberships modal, select I understand and want to continue.
- Select Save
- In the Rule window, toggle the bubble in the upper-right to enable the rule.
This starts provisioning and displays the results in the Sync Summary window.
6. Complete IdP Settings
- On the Admin Console General page, navigate back to the Identity Provider Settings section.
-
To have Virtual Appliance prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.
If this option is not selected, the user must manually navigate to the IdP login screen to sign in.
-
We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.
- The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
- Select Save in the top-right corner of the General page.
7. JIT Provisioning
These steps are only for configurations using JIT Provisioning. If you have already configured PingOne using SCIM Provisioning, skip to 8. Add Virtual Appliance Admins.
JIT Provisioning
JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.
When using JIT Provisioning, the application creates users during the first sign-in attempt.
- Access your Virtual Appliance instance and select Sign in with <IdP Name>.
- Attempt to login with your IdP credentials.
-
This login attempt will fail and return you to the login page.
This is expected. With JIT, this action triggers the user creation in the instance.
- The following login attempt with valid credentials initiates a typical login sequence.
Administrators who need access to the Admin Console still need to be added to the Tools Users page using the steps in Admin Console Users.
8. Add Virtual Appliance Admins
For steps on assigning users and roles to the Virtual Appliance Admin Console reference Admin Console Users.
-
New Mobile App Release
iOS: November 11th, 2024 -
Released: November 11th, 2024
-
Released: October 22nd, 2024
Updated Application Version Included