Objective
The objective of this tutorial is to help you understand how to set up SSO instructions for PING IDENTITY.
Overview
Access from your: Computer
Applies to: Admin/Managers
Single Sign-On allows you to use an existing authentication mechanism with Humanity such that you can provide fast and convenient access for your agents and customers while improving security through centralizing and removing the need for individual users to manage multiple individual passwords.
Things to know before you begin:
Humanity uses SAML (Security Assertion Markup Language) for Single Sign-On.
Before creating an application for Humanity on Ping side, you must set up a connection and create a directory with users.
If there is user inactivity, PING may expire your session; therefore, in this case, if the creation of a Humanity application remains incomplete, you will need to create another one from the beginning.
In order for SSO to work, all Ping users should have matching employee profiles on Humanity so that their Ping usernames are equal to emails on their Humanity profiles, and that all Humanity employee profiles are activated.
SSO Setup Instructions For Ping Identity
Step 1: Click 'APPLICATIONS' tab > Click 'My Applications' tab > Click 'SAML' tab > Click 'Add Application' drop-down > Select 'New SAML Application' option as shown in Image 1.
Image 1
Step 2: Type the 'Application Name' and 'Application Description' in their respective boxes > Select the Category from the drop-down according to your requirement as shown in Image 2.
Image 2
Step 3: Add logo in 'Graphics' box so your employees can find Humanity application faster (Optional) > Click 'Continue to Next Step' tab as shown in Image 3.
Image 3
Note: Click "Here" to download Humanity logo.
Step 4: Click 'Download' tab next to SAML Metadata as shown in Image 4.
Image 4
Once you click the 'Download' tab, it will open the "Downloaded saml2-metadata-idp.xml file" as a text file, as shown in Image 5.
Ping SAML Metadata File:
Image 5
Step 5: Copy the URL from the Location attribute 'md:SingleSignOnService Location' where the Binding attribute is 'HTTP - Redirect' as shown in Image 6.
Image 6
Enable SSO on Humanity
Step 1: Login to your Humanity account > Click the 'Settings' module i.e. the gear icon from the top-right corner > Select 'Single Sign-On' tab from the left-hand side > Check the box next to 'SAML Enabled' tab as shown in Image 7.
Image 7
Note: Check the box next to 'Allow Password Login' tab until it’s confirmed that SSO works without any issues. After everything is tested well, this option can be disabled, and after that all users will be able to log in via SSO only.
Step 2: Paste the copied URL from the downloaded saml2-metadata-idp.xml file into the SAML Issuer URL field > Add the URL where you want your users to be redirected after they log out from Humanity into Remote Logout URL field > Paste the text below to the X.509 Certificate field > Click the 'Save Settings' tab as shown in Image 8.
Text:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Image 8
Note: This is a temporary value which will be replaced with an exact value (Image 20) when the Humanity application is finally created on Ping application.
Step 3: Copy the URL from 'The SAML Metadata URL for your account is:' field as shown in Image 9.
Image 9
Go back to PingOne Application to perform the remaining steps:
Step 1: Click 'Or use URL' tab > Paste the copied value into the opened input field > Click outside to apply as shown in Image 10.
Image 10
After a few seconds it will automatically fill 'Assertion Consumer Service (ACS)' and 'Entity ID' fields > Leave all other fields unchanged > Click the 'Continue to Next Step' as shown in Image 11.
Image 11
Step 2: Click the 'Add new attribute' tab as shown in Image 12.
Image 12
Step 3: In the Application Attribute field enter SAML_SUBJECT > Click 'Advanced' tab as shown in Image 13.
Image 13
It will redirect you to a new modal panel:
Step 4: Enter "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" next to Name ID Format to send to SP field > Enter 'Email' in the IDP Attribute Name or Literal Value field > Click 'Save' tab as shown in Image 14.
Image 14
Step 5: After saving the details you will view the details > Click 'Continue to Next Step' tab as shown in Image 15.
Image 15
Now assign the application to groups of users which should have access to Humanity. In this article, we are assigning to both domain administrators and users.
Step 6: Click 'Add' tab next to 'Domain Administrators@directory' and 'Users@directory' > Click 'Continue to Next Step' tab as shown in Image 16.
Image 16
Given access can be revoked later by clicking the Remove tab > Click 'Continue to Next Step' tab as shown in Image 17.
Image 17
Step 7: Review the setup > Click 'Download' tab next to 'Signing Certificate' field > Click 'Finish' tab as shown in Image 18.
Image 18
That's it, the application should now be enabled and you will view Humanity Activated under My Applications as shown in Image 19.
Image 19
Open the downloaded IdP Signing Certificate file (it is named as idp-signing.crt) in a text editor as shown in Image 20.
Image 20
Select all the text, copy it and paste into the X.509 Certificate on the Humanity 'Single Sign-On Settings' page > Click 'Save Settings' tab as shown in Image 21.
Image 21
With this you have successfully configured Single Sign-On between Ping Identity and Humanity.
For ShiftPlanning Initiated Login:
Use The SAML Login URL from the Humanity Single Sign-On Settings page.
In this article, it is "https://my-company.humanity.com/includes/saml/"
For IdP Initiated Login:
Use Initiate Single Sign-On (SSO) URL from the Review Setup page (Image 18) of the Humanity application on Ping side.
In this article, it is "https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=cdc9e18c-8174-4a60-9d4d-d7ec54a185bf&idpid=273240d2-95b3-4f3e-81ca-b77051be070f"
It is handy to bookmark these links for faster access to Humanity over SSO.
If you have any further queries, please don't hesitate to reach us at support@humanity.com. Happy Scheduling!