SSO PingID Setup

The following instructions set up an identity provider in PingID (using the PingOne platform).

Introduction

PingOne is Ping Identity's Single Sign-On (SSO) Provider and application portal that supports SAML 2.0, Secure Web Authentication and OpenID Connect. Tehama can be integrated with PingOne through SAML 2.0 and presented as a managed application alongside other PingOne integrated applications.

Once enabled, authentication to Tehama must be made through PingOne - local authentication through https://app.tehama.io is no longer possible except by using the Tehama Org Admin account. PingOne/Tehama Integration is limited to authentication only.

User accounts are required for both PingOne and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via PingOne SSO.

Integration Summary

Integration with PingOne SSO is a four-step process as follows.

  1. Obtain initial configuration settings from Tehama
  2. Create an application in PingOne
  3. Obtain the required Federation Metadata XML from PingOne
  4. Enter it back into Tehama

Prerequisites for PingOne Integration

  • A Tehama Account with Org Admin privileges
  • An PingOne account with Domain Administrator privileges

Setup Time - 10 minutes

Create a connected application

Login to Tehama using the Org Admin Account and click on the ORGANIZATION tab in the navigation bar.

Select the AUTHENTICATION tab.

Check "Enable SAML Single-Sign on".

Tehama Organization Authentication Page with SAML-disabled

Make a note of the Entity ID and Callback URL (Assertion Consumer Service URL) values.

Open a second browser tab and sign in to your PingOne Admin Account.

Select Applications from the top level menu, and My Applications from the second level menu.

PingOne My Applications Page

Select Add Application and then Select New SAML Application.

PingOne New SAML Application Page

Complete the Application Details - you may download and save a copy of this image to use as the logo Tehama Logo and click Continue to Next Step.

Ensure that I have the SAML configuration is selected and that the Protocol Version is set to SAML v 2.0.

PingOne New SAML Application Page Scrolled Down to Step 2

Select Download to obtain a copy of the Federation Metadata, it will be saved as saml2-metadata-idp.xml.

Copy the Entity ID from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the Entity ID field.

Copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the Assertion Consumer Service (ACS) field.

Leave all other fields at their default values.

Click Continue to Next Step. Click Save and Publish. Click Finish.

To complete the Tehama SSO setup open the downloaded XML file saml2-metadata-idp.xml and manually edit it to remove every white space character between <ds:X509Data> and </ds:X509Data> and copy the contents of the edited file to the clipboard.

Return to the Tehama Web UI and enable SSO by clicking on the checkbox to Enable SAML Single-Sign On (if not already enabled) then paste the IDP metadata into the Federation Metadata XML box.

Tehama Organization Authentication Page with SAML-enabled

and click SAVE.

Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.

Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.

Tehama SSO Configuration is now complete.

You will still need to return to the PingOne Console to assign User and Groups and/or configure Self-Service settings as appropriate for your organization before it will be possible to access Tehama using PingOne integration.