- Overview
- Configuration
PingOne
Simplify and secure access with ADSelfService Plus and PingOne
PingOne is a cloud-based identity and access management (IAM) solution designed to secure application and data access for enterprises. Integrating ADSelfService Plus with PingOne provides secure, single-click SSO access, simplifying login for users while enhancing security measures.
Enable one-click access to PingOne through SSO
Integrating ADSelfService Plus allows single-click SSO access, streamlining login and allowing users to focus on tasks without login delays.
Enhanced security with MFA
This integration supports robust authentication options, including FIDO2 and biometrics, ensuring that only verified users can access PingOne, which enhances security for sensitive applications and data.
Improved user convenience with passwordless login
Passwordless login enables users to access PingOne without the need for traditional passwords, benefiting both users and IT teams by reducing login issues and minimizing password-related support requests.
Configuring OpenID SSO for PingOne
These steps show you how to configure the single sign-on (SSO) functionality using OpenID Connect between ManageEngine ADSelfService Plus and PingOne.
Do not terminate the session before the configuration is complete in both the identity provider and the service provider.
Please enable HTTPS is the product to ensure proper functioning of single sign-on.
- Login to ADSelfService Plus as Admin.
- Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select PingOne from the list. You can also use the search bar, in the top-left, to search for the application. Note: You can also use the search bar, in the top-left, to search for the application.
- Click on IdP Details and select the SSO (OAuth/OpenID Connect) tab.
- Copy Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, User Endpoint URL, and Keys Endpoint URL.
PingOne (service provider) configuration steps
- Login to PingOne as administrator.
- Click the PingOne for Customers' icon next to the End User Sandbox environment.
- Go to Connections → Identity Providers → Add Provider.
- Select OpenID Connect under Custom. Click Next.
- Under Create IdP Profile, enter a suitable name and description for ADSelfService Plus. You can also customize the icon and login button here.
- Click Continue.
- In the Configure OpenID Connect Connections page, copy the CALLBACK URL as it will be required in a later step.
- Fill in the required fields with details copied in step 4 of prerequisites:
- CLIENT ID: Client ID
- CLIENT SECRET: Client secret
- ISSUER: Issuer
- AUTHORIZATION ENDPOINT: Authorization Endpoint URL
- TOKEN ENDPOINT: Token Endpoint URL
- USERINFO ENDPOINT: User Endpoint URL
- JWKS URI: Keys Endpoint URL
- Click Save and Continue.
- In the Map attributes page, click Save & Finish
ADSelfService Plus (identity provider) configuration steps
- Switch back to ADSelfService Plus' PingOne configuration page.
- Enter the Application Name and Description as per your preference.
- Enter the Domain Name of your PingOne account. For example, if your PingOne username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
- Select policies from the Assign policies dropdown, to decide for whom this setting will be applicable.
- Check the box next to Enable OAuth/OpenID Connect.
- Enter the Callback URL you saved in step 7 of PingOne configuration in Login Redirect URL field.
- Scopes specify the level of access the access token has. The scopes are generally provided in the authorization request so, you don't have to specify them here. If the scopes are not mentioned by your service provider, you must add them in this field.
- Click Add Application to save these settings.
- The Well-known Configuration URL in IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes and client details. This is enabled only after you save the application in ADSelfService Plus. You can provide this to your service provider if required.