Skip to content

Ping One

Follow the steps documented below to integrate your Rafay and PingOne Organization for Single Sign On (SSO).

Important

Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.


Step 1: Create IdP in Rafay

  • Login into the Rafay Console as an Organization Admin.
  • Click on System > Identity Providers
  • Click on "New Identity Provider"
  • Provide a Name, select "Ping" from the drop down
  • Enter the "Domain" for which you would like to enable SSO

  • Optionally, toggle "Encrypted SAML Assertion" if you wish to have SAML assertions encrypted

  • Provide a "Group Attribute Name" for the name of group attribute statement in SAML Assertions to map to the Group with assigned roles in Rafay's console
  • Click on Save & Continue

Create IdP

Important

Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Rafay) can decrypt the SAML assertion.


Step 2: View SP Details in Rafay

The Rafay IdP configuration wizard will display critical information that you need to copy/paste into your PingOne SAML application . Provide the following information to your PingOne administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • NameID Format
  • Encryption Certificate (if Encrypted SAML Assertion enabled)
  • Group Attribute Statement Name
  • Consumer Binding
  • Click on Save & Continue to go to Metadata Configuration page

View SP Details


Step 3: Create Rafay Application in PingOne

  • Login into your PingOne as an Administrator
  • Go to Applications > My Applications > SAML
  • Click Add Application and select New SAML Application

Create App Integration


Step 4: Configure Application Details in PingOne

In the Application Details page:

  • Enter "Rafay Systems" for the application name
  • Upload the Rafay Logo
  • Click Continue to Next Step

Application Details


Step 5: Configure SAML Application in PingOne

In the Application Configuration Page:

  • Select "SAML v 2.0" for Protocol Version
  • Copy/Paste the Rafay Assertion Consumer Service URL from Step 2 into the "Assertion Consumer Service (ACS)"
  • Copy/Paste the SP Entity ID from Step 2 into the "Entity ID"

Configure SAML

If Encrypted SAML Assertion is enabled in Step 1,

  • Enable "Encrypt Assertion"
  • Upload the downloaded Encryption Certificate in Step 2 to "Encryption Certificate"

Configure SAML

  • Click Continue to Next Step

Step 6: Configure SSO Attribute Mapping for Group in PingOne

In SSO Attribute Mapping page:

  • Provide the Group Attribute Statement Name value from Step 2 for the "Application Attribute"
  • Select "memberOf" from "Identity Bridge Attribute or Literal Value" list

The SSO Attribute Mapping configuration step for Groups is critical because it will ensure that PingOne will send the groups the user belongs to as part of the SSO process. Rafay uses the group information to transparently map users to the correct group/role. In the illustrative example below, we are using "RafayRole" as the name of the group attribute statement.

Group Attribute


Step 7: Configure SSO Attribute Mapping for sending user's email as NameID in PingOne

Rafay's SSO works with only the email address format for the users in NameID of the SAML Subject. In PingOne, make sure to configure SAML Subject to use Email in the SSO Attribute Mapping page:

  • Add a new attribute
  • Provide "SAML_SUBJECT" for the "Application Attribute"
  • Select "Email" from "Identity Bridge Attribute or Literal Value" list
  • Click Continue to Next Step to to to Group Access Page

NameID Attribute


Step 8: Assign Groups to Rafay Application in PingOne

In Group Access page:

  • Search and Add the groups that you would like the users to have access to Rafay Console
  • Click Continue to Next Step to Review setup

Assign Groups

In the example above, the PingOne group "SystemAdmins" has been assigned to the Rafay application in PingOne. Multiple PingOne users can be added/removed from this group.

An identical named group needs to be created on Rafay. Ensure that this group is mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "SystemAdmins" is configured as an "Organization Admin" with access to all Projects.

Assign Groups

It is important to emphasize that because of SSO via PingOne, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "SystemAdmins" group because they are all managed in the attached PingOne Org.

Users in Group


Step 9: Specify IdP Metadata URL in Rafay

In PingOne Review setup page:

  • Save the SAML Metadata URL to configure in Rafay Console at next step
  • Click Finish to complete the settings in PingOne

IdP MetaData URL

  • Navigate back to the Rafay Console's IdP Metadata Configuration page
  • Paste the SAML Metadata URL from PingOne to the Metadata Url textbox
  • SAVE the IdP Settings

Save IdP Config