Ping Identity Single Sign-On Integration with SAML

Ping Identity provides secure and easy access to cloud, mobile, and on-premises applications through federated identity management. The platform uses adaptive authentication and SSO for single-click access to all applications, preventing security breaches and helping with the management of sensitive data.

This document explains how to configure Ping Identity and Invicti Platform for Single Sign-On.

Configure Ping Identity with SAML

To configure the SSO integration with Ping Identity, follow these steps:

• Step 1: Add an application to Ping Identity
• Step 2: Configure Ping Identity Single Sign-On with SAML
• Step 3: Configure encrypted assertions in Ping Identity (optional)

Step 1: Add an application to Ping Identity

1. In your Ping Identity environment, select Applications > Applications from the left-side menu.
2. On the Applications page, click the + (plus) button.

3. Enter your application name, then select SAML Application in the right pane. In this document, we use Invicti as the application name.

4. Click Configure to open the SAML Configuration page.
5. From the SAML Configuration, select Manually Enter.

6. Open a new browser tab and log in to Invicti.
7. Select Settings > Security & Access Control > SSO from the left-side menu.  
8. Turn on the Enable SSO toggle.
9. Select PingIdentity from the SSO Provider drop-down list.

10. Copy the SAML 2.0 Service URL from Invicti and paste it into the ACS URLs field in Ping Identity.
11. Copy the Identifier from Invicti and paste it into the Entity ID field in Ping Identity.
12. Click Save to add Invicti to your Ping Identity account.

Next, you need to configure the Ping Identity integration to enable Single Sign-On.

Step 2: Configure Ping Identity Single Sign-On with SAML

1. In the Applications, turn on the toggle next to Invicti and click the name to open details pane. 

2. Select the Attribute Mappings tab and edit it by clicking the pencil icon.

• For the saml_subject attribute, select Email Address from the PingOne Mappings drop-down and click + Add.
• Add FirstName to the Attributes field and choose Given Name from the PingOne Mappings drop-down, and click + Add.
• Add LastName to the Attributes field and choose Family Name from the PingOne Mappings drop-down.

• Click Save.

3. Go to the Configuration tab and edit it by clicking the pencil icon.
4. Select the Sign Assertion & Response option.

5. Click Save.
6. Go to Overview tab to see the Connection Details and do the following:

• Copy the Issuer ID information and paste it in Invicti’s IdP Identifier field.
• Copy the Single Signon Service URL and paste it in Invicti’s SAML 2.0 Endpoint field.
• Click Download Signing Certificate to download the X509 PEM certificate (*.crt)
• Go to your download location and open the certificate with a text editor.
• Copy the X.509Certificate information and paste it in Invicti’s X.509 Certificate field.

7. In Invicti, if you select Require encrypted assertions, do one of the following:

• Select Generate a new certificate for me; OR
• Select I have an existing certificate, then upload your certificate and enter the certificate password.

8. The Invicti SSO Exemptions dropdown allows you to select specific users who can bypass SSO and log in with a password.

9. Click Save on the Invicti tab to complete the integration.

You can now add users to your application on Ping Identity, allowing them to log in. To do so, navigate to Directory > Users from the main menu.

Step 3: Configure encrypted assertions in Ping Identity (optional)

The following steps explain how to enable and configure encrypted assertions for your Invicti application:

1. In Ping Identity, select Applications > Invicti.
2. Click the pen icon to edit the Configuration tab.
3. In the Encryption section, click the checkbox next to Enable.
4. In the Certificate section, select Import, then click Choose File.
5. Upload your certificate, then click Save.