PingOne (SAML v2.0)

Prerequisites

Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Keycloak (K) and PingOne (P) portals to make it easier to apply the settings.

1. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

2. (K) Login to the Keycloak Admin Console using your admin credentials.

3. (K) Click Identity Providers from the left pane.

4. (K) Expand the Add provider dropdown and choose SAML v2.0.

5. (K) Fill in values for the Alias and Display Name fields. Please note this Display Name will appear in the button on the Spark login page.

6. (K) Copy the Redirect URI value.

7. (P) In a second browser tab, sign in to PingOne.

8. (P) Click on Applications on the left pane.

9. (P) Click (+) to add a new application.

10. (P) Enter an Application Name for this integration.

11. (P) Select SAML Application for Application Type.

12. (P) Click Configure.

13. (P) In SAML Configuration for Provide Application Metadata select Manually Enter.

14. (P) Paste the edited Redirect URI into the ACS URLs (Assertion Customer Service URL).

15. (K) Return to Keycloak. Copy the Service provider entity ID.

16. (P) Switch to PingOne. Paste the Service provider entity ID into the Entity ID field.

17. (P) Click Save.

18. (P) Click on the Configuration tab.

19. (P) Copy the IDP Metadata URL.

20. (K) Return to Keycloak. Paste the IDP Metadata URL into the SAML entity descriptor.

21. (K) Click Add.

22. (K) In NameID policy format, select Email.

23. (K) Click Save.

24. (P) Switch to PingOne. Click on Attribute Mappings.

25. (P) Click Edit.

26. (P) Set the following mappings:

    Attributes

    PingOne Mappings

    saml_subject

    Email Address

    firstName

    Given Name

    lastName

    Family Name

    groups

    Group Names

27. (P) Close the Application pane.

28. (P) Enable the toggle switch for the application.

29. (K) Return to Keycloak. Click on the Mappers tab and then click on Add mapper.

30. (K) Create 4 mappers with the following properties:

    1. Key

       Value

       Name

       firstName

       Sync mode override

       Force

       Mapper type

       Attribute Importer

       Attribute Name

       firstName

       Name Format

       ATTRIBUTE_FORMAT_BASIC

       User Attribute Name

       firstName

    2. Key

       Value

       Name

       lastName

       Sync mode override

       Force

       Mapper type

       Attribute Importer

       Attribute Name

       lastName

       Name Format

       ATTRIBUTE_FORMAT_BASIC

       User Attribute Name

       lastName

    3. Key

       Value

       Name

       email

       Sync mode override

       Force

       Mapper type

       Attribute Importer

       Attribute Name

       saml_subject

       Name Format

       ATTRIBUTE_FORMAT_BASIC

       User Attribute Name

       email

    4. Key

       Value

       Name

       groups

       Sync mode override

       Force

       Mapper type

       Attribute Importer

       Attribute Name

       groups

       Name Format

       ATTRIBUTE_FORMAT_BASIC

       User Attribute Name

       groups

31. For SAML SSO, it is important to validate signatures to prevent unauthorized access. For more information see Importance of validating signatures in SAML.

    1. (K) For the identity provider you have setup, scroll down to Signature and Encryption settings.

    2. (K) Enable the option Validate Signature.

32. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

Configure PingOne groups to Spark user groups

It is recommended to use two separate browser tabs for the Keycloak (K) and PingOne (P) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the tenant-admin role.

1. (P) In the first tab sign in to PingOne.

2. (P) Select Directory in the left pane and select Groups.

3. (P) Click (+) to add a new group.

4. (P) Enter tenant-admin into Group name and click Save.

5. (P) Click on the Users tab and then click on Add Individually.

6. (P) Select your test user and click Save.

7. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

8. (K) Login to the Keycloak Admin Console using your admin credentials.

9. (K) Select Identity Providers from the left pane and then the identity provider you configured in the previous section.

10. (K) Select the Mappers tab and then Add mapper.

11. (K) Provide the following values.

    Name

    Value

    Name

    tenant-admin

    Sync mode override

    force

    Mapper type

    Advanced Claim to Group

12. (K) Click Add Claims.

13. (K) Provide the following values:

    Key

    Value

    groups

    tenant-admin

14. (K) Leave Regex Claim Values as Off (which is the default).

15. (K) Click Select Group, choose tenant-admin , then click Select.

16. (K) Click Save.

17. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in tenant-admin.

18. We highly recommend creating at least a few additional groups relevant for Private tenants:

    • Group for supervisor:pf user accounts. In Spark, supervisor:pf members can manage permissions across all folders.

    • Groups for "standard" user accounts, e.g. user:teamA, user:teamB. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple groups for "standard" user accounts can be useful to separate access between teams.