PingOne (SAML-P) configuration

This how-to guide describes how to configure U4IDS with PingOne, a SAML-P provider. For more information about SAML-P see SAML V2.0 Protocol. In this example we use PingOne which is a cloud IdP that does not require any installation.

Prerequisites

• An account on PingOne
• Access to U4IDS in order to create and configure a new tenant
• The value of your U4IDS instance's configured SAML SP Entity Id. This is set in the application config (for the remainder of this document we use value of https://<u4ids basepath>/identity SP Entity Id)
• A decision on what claim to use to uniquely identify the user in the organisation (this must be a claim that is uniquely identifying a user within the organisation, e.g. user's email address)

Note: The list of official IDS environments can be found here

Steps

Add and configure a new Application

In PingOne the registration of U4IDS is done by adding a new Application.

1. In the Applications tab, click Add Application and select New SAML Application option.

2. Fill in the name, description, select category and continue to the next screen.

3. Choose I have the SAML configuration. U4IDS does not expose SAML SP metadata in the current version.

4. Configure the Assertion Consumer Service (ACS) to point to the authority address of U4IDS plus the path /AuthServices/Acs. In our case this is https://u4ids-dev.azurewebsites.net/identity/AuthServices/Acs

5. Select the value for Entity ID same as used in the U4IDS configuration (application settings key name is identityserver:providers:saml2:entity-id). Note that this value must be a valid URI value. Our example setup: https://u4ids-dev.azurewebsites.net/identity

6. Click SAML Metadata to download the metadata of the configured SAML endpoint of PingOne Identity Provider. PingOne has the metadata behind the portal login, so IDS cannot access it directly like for many other SAML providers. The downloaded .xml file needs to be stored in a location that can be referenced to over HTTP. For example you could place it in DropBox and expose it as: https://www.dropbox.com/s/021qu4two349x7e/peopleplatform-unit4-saml2-metadata.xml?raw=1. In case your SAML IdP has its metadata public you do not need to do this step. The URL of the IdP Entity ID metadata is used when configuring the authority value of a tenant.

7. Configure attributes (claims) that would be sent to U4IDS by PingOne. Make sure the attribute that you want to use for identifying the user in Unit4 systems is one of them (for example, name it email mapping to Email). The claim you use must uniquely identify the user in the given Identity Provider store.

Create and configure tenant in U4IDS

See Identity providers in tenants for more information.