Configuring single sign-on to ADAudit Plus using Ping Identity

Step 1: Configure ADAudit Plus in Ping Identity

1. Log in to the Ping Identity portal.
2. Click Applications → My Applications → SAML → Add Application → New SAML Application.
3. On the Application Details page, enter Application Name, Application Description, and Category. You can choose to assign an application icon. Click Continue to Next Step.
4. On the Application Configuration page, provide the ACS URL and Entity ID.
   Note: To find the values for the ACS URL and Entity ID, log in to the ADAudit Plus console, navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, andselect SAML Authentication → Identity Provider (IdP) → Ping Identity. Copy the ACS/Recipient URL value, and paste it in the ACS URL field. Copy the Issuer URL/Entity ID value, and paste it in the Entity ID field.
5. Copy the SP Logout URL in ADAudit Plus, and paste it in the Single Logout Endpoint field in Ping Identity’s SAML Application page.
6. Download the X.509 Certificate in ADAudit Plus. In Ping Identity’s SAML Application page, click on Browse next to Primary Verification Certificate, and upload the downloaded certificate.
7. Click Save & Publish.
8. Once the configuration is complete, the metadata file can be downloaded.

Step 2: Configure Ping Identity in ADAudit Plus

1. Log in to the ADAudit Plus web console with admin credentials. Navigate to Admin → Administration → Logon Settings → Single Sign-On. Check the box next to Enable Single Sign-On, and select SAML Authentication.
2. Select Ping Identity from the Identity Provider (IdP) drop-down. Under SAML Configuration Mode, select Upload Metadata File. Click Browse, and upload the metadata file obtained at the end of Step 1.

   

   Note: You can also configure SAML in Manual Configuration mode.

   • Copy and paste the Issuer URL/Entity ID.
   • Paste the IdP Login URL.
   • Paste the IdP Logout URL.
   • Paste the X.509 Certificate value from your identity provider.
3. If needed, enable Single Logout under Advanced Settings.
4. Advanced Settings configuration:
   Note: Ensure that the configuration settings selected here match those configured in your Ping Identity provider.

   

   Authentication Request Configuration

   Setting	Description	Available values
   SAML Request	Defines whether the authentication request sent to Ping Identity is digitally signed	Signed Unsigned
   Authentication Context Class	Specifies the method Ping Identity should use to authenticate users	None Windows Authentication Kerberos PasswordProtectedTransport Password TLS Client Unspecified X.509 Certificate

   SAML Response Configuration

   Setting	Description	Available values
   SAML Response	Specifies whether the overall SAML response from Ping Identity is signed	Signed Unsigned
   SAML Assertion	Specifies whether the SAML assertion inside the response is signed	Signed Unsigned
   Signature Algorithm	Defines the algorithm used for generating digital signatures in SAML responses	SHA1 SHA256 SHA384 SHA512

   Encryption Configuration

   Setting	Description	Available values
   Assertion Encryption	Determines whether the SAML assertions returned from Ping Identity are encrypted	Encrypted Unencrypted
   Encryption Certificate	Certificate used for encrypting the assertion	Self-Signed CA Signed

5. If you want to mandate domain technicians to log into ADAudit Plus only through SAML authentication, check the Force SAML Login box in the bottom-right corner.
   Note: Once enabled, accessing ADAudit Plus' login page will redirect domain technicians to the single sign-on URL. However, administrators and technicians with ADAudit Plus authentication credentials can access the ADAudit Plus login page by using the /adminLogin tag after the login page URL.
6. Click Save.