How to configure PingOne for Enterprise for SSO

This topic details how to configure PingOne for Enterprise single sign-on (SSO). PingOne for Enterprise is a cloud-based authentication provider.

This topic is part of Phase Two in Configuring SAML SSO authentication. For an overview of the complete process, see Working with SAML for single sign-on (SSO).

IMPORTANT  Before completing these steps, you will need to follow the steps in Prepare CyberArk Trust Protection Foundation - Self-Hosted for SAML SSO. You will need configuration information from the CyberArk Service Provider Metadata XML file to complete this process.

You must have an existing functional PingOne for Enterprise deployment to use these steps. These instructions detail how to add a new Application (CyberArk Trust Protection Foundation - Self-Hosted) to PingOne. Consult the PingOne for Enterprise documentation if you need to configure PingOne to obtain data from your identity store.

Before you begin, you will want to consult with your identity provider management team to determine who should be able to authenticate to CyberArk Trust Protection Foundation - Self-Hosted via PingOne for Enterprise. You'll need that information near the end of the procedure below.

IMPORTANT  While CyberArk makes an effort to provide accurate information on third-party integration steps, these steps may differ for your service provider, especially as identity providers release new updates. If you have questions about how to use this third-party integration, we recommend you start with the vendor's documentation and support teams. These instructions should be considered a template, not definitive steps. Your specific steps may vary, depending on how your organization integrates with each third-party platform.

To configure PingOne for Enterprise single sign-on

  1. Log in to PingOne for Enterprise, and click Applications.
  2. Navigate to Add ApplicationNew SAML Application.
  3. Give the application a descriptive name for your CyberArk cluster, and provide a description and choose a category.
  4. Click Continue to Next Step.

  5. Next to SAML Metadata, click Download. We refer to this file as the IDP Metadata XML file in our documentation..

    Save this file to your CyberArk Trust Protection Foundation - Self-Hosted server in a place you can find it later.

  6. Ensure the protocol version is SAML v 2.0.
  7. Under Upload Metadata, click Select File, then browse to the CyberArk Service Provider Metadata XML file you exported from CyberArk Trust Protection Foundation - Self-Hosted, and select it.

  8. The following fields are described below:

    • The Assertion Customer Service (ACS) field will be automatically filled out from the uploaded Service Provider Metadata XML file.
    • The Entity ID will be automatically filled out from the uploaded Service Provider Metadata XML file. This is a unique string PingOne uses to identify the application when communicating with it.

    • For Application URL, you can leave blank.

      This feature, if used, provides the starting URL for a user, if you don't want them being taken directly to the Aperture dashboard. For example, you could specify the SSH Manager for Machines dashboard, or the Certificate Inventory URL. This URL will be used when a user clicks on the CyberArk application on their PingOne dashboard. This field is not honored if authentication was started by CyberArk Trust Protection Foundation - Self-Hosted. If you use this field, use the FQDN to the page.

    • Single Logout Endpoint, Response Endpoint, Binding Type. These settings are not supported in this version of CyberArk Trust Protection Foundation - Self-Hosted, so leave blank.
    • Primary/Secondary Verification Certificate. Since version 25.3 doesn't support signing authentication requests, leave blank.
    • Encrypt Assertion. Since version 25.3 doesn't support encrypted SAML responses, leave blank.
  9. Change the Signing option to Sign Response.
  10. Leave the Signing Algorithm to the default, which is RSA SHA256.
  11. If you want to force re-authentication for users, even if they already have an active PingOne session, select Force Re-Authentication.

  12. If needed, modify the subject of the SAML assertion.

    By default, PingOne sends the username as the NameID within the subject of the SAML assertion. If you need to have something different sent instead (like email address), you need to define appropriate attribute mapping on this screen.

    More information can be found in PingOne's documentation.

  13. In Group Access, click Add next to groups that should have access to CyberArk Trust Protection Foundation - Self-Hosted.

    If you want all users to have access, click Add next to Users@directory.

  14. Review your settings, then click Finish.

IMPORTANT  When you test PingOne, if you get an error on a login attempt that says "SAML authentication failed" with an InvalidSignatureException, try disabling assertion signing in step 9, above. This is due to a problem in .NET.

If disabling assertion signing doesn't work, please contact CyberArk Support.

You are ready to finish configuring SSO in CyberArk Configuration Console. See Importing Identity Provider Metadata XML into CyberArk Configuration Console for SAML.