Integrating with PingOne Enterprise

Integration prerequisites

  • Delinea PAS tenant.

  • PingOne for Enterprise tenant.

Configuring SAML Single Sign-On (SSO) for PingOne Enterprise

The following steps detail how to set up PingOne for Enterprise as an Identity Provider (IdP). In this configuration, Delinea PAS is the Service Provider (SP). Once configured you can access Delinea PAS from PingOne for Enterprise using SAML Single Sign-On (SSO).

To configure the PingOne tenant for SSO

  1. In the PingOne tenant, navigate to Applications > Add Application > New SAML Application.

    alt

    Name the Application Delinea Privileged Access Service” and (optionally) add description. upload logo, then click Continue to Next Step.

    alt

  2. Choose I have the SAML Configuration, then click the SAML Metadata download link (this saves an XML file named “saml2-metadata-idp.xml”).

    alt

  3. Navigate to the Delinea PAS tenant. In the Delinea PAS tenant. Navigate to Settings > Users > Partner Management then click Add.

  4. Under Settings, name the Partner configuration “PingOne for Enterprise”, choose SAML 2.0 as a federation type and add the domain name(s) that can be used as suffix for SP-initiated login by users (will depend on your environment and authentication methods)

    alt

  5. Under Inbound Metadata, choose Option 2 and upload the XML file obtained from PingOne.

    alt

    Under Outbond Metadata section, choose Option 2 and then Download the metadata file (this saves an XML file named “”).

    alt

  6. Save the configuration.

  7. Go back to the PingOne application configuration. On the PingOne tenant, continue the application configuration under the I Have the SAML Configuration section.

  8. Upload the metadata file you obtained from the Delinea Partner configuration and Continue to Next Step.

    alt

  9. Configure attribute mapping. This configuration may differ based on the directory used to login. In the example below, both PingOne and Delinea PAS are configured to authenticate Active Directory users from the same domain and therefore most attributes will match literally. You may need to change attribute name or use advanced mapping to adapt to your environment. Once you have concluded mapping, click Continue to Next Step.

    alt

  10. Add group(s) that will be allowed to use the application (example: Users@directory is everyone on the Ping Directory) and click Continue to Next Step.

    alt

  11. Review and click Finish.

Configuring Delinea PAS as an Identity Provider

  1. In the Delinea PAS tenant, navigate to Apps > Web Apps and click Add Web Apps.

  2. On the Custom tab, choose SAML template and click Add and confirm Yes.

    alt

  3. Under Settings tab, name the App “PingOne for Enterprise” and (optionally) add description and upload logo.

    alt

  4. Under the Trust tab and in the Identity Provider Configuration section, choose Metadata and click Download Metadata File (will saves an XML file named “PingOne for Enterprise - IdP Metadata.xml”).

    alt

  5. Click Save.

  6. Navigate back to the PingOne tenant. In the PingOne tenant, navigate to Setup and either Add a new Identity Repository or change the existing one.

  7. Select Custom SAML as the Identity Repository type and click Next.

    alt

  8. Under Configure Your IDP Connection, click Download PingOne Metadata then Next (this saves an XML file named “pingone-metadata.xml”).

    alt

  9. Under Configure Your PingOne Connection , import the IdP Metadata file named “PingOne for Enterprise - IdP Metadata.xml” and click Next.

    alt

  10. Under the Map Attributes section, add a variable named “groups”. You can add other mapping attributes based on your configuration needs.

    alt

  11. Click Save.

  12. Navigate back to the Delinea PAS tenant. In the Delinea PAS tenant, navigate to Apps > Web Apps and edit the “PingOne for Enterprise” application setting.

  13. Under Trust and in the Service Provider Configuration section, choose Metadata and click Choose File, upload the file named “pingone-metadata.xml”.

    alt

  14. Under SAML Response, and the Custom Logic section, edit the SAML script. The sample below is provided as an example, you may want to add other attributes if you modified the Map Attributes list under PingOne configuration.

    alt

  15. Under Permissions, add the list of wsers and/or roles that have permissions to launch the application (use of a role should be always preferred for ease of access management).

    alt

  16. Under Account Mapping, choose how the user will be recognized under PingOne for Enterprise. The default to UserPrincipalName when using Active Directory could be using email or any other value that suits your environment (this value should be unique).

    alt