Use Ping Identity for SSO authentication

Learn how to use Ping Identity for Single Sign-On (SSO) authentication with SAML 2.0 so members of your organization can sign in to Kobiton using their Ping Identity credentials.

What You’ll Need

Before you begin, make sure you have:

  • An administrator account in both Kobiton and Ping Identity.

  • An active environment in Ping Identity.

Get Kobiton parameters

First, you’ll need to save a copy of your Kobiton SSO attributes so you can easily add them to your IdP later.

Select your profile name or picture, then choose Settings.

Select your profile name and select Settings

Choose SSO Settings.

SSO settings page

From Basic configuration, copy the following values and save them to a note:

  • Entity ID (or Audience URL)

  • Reply (or SSO, or ACS) URL

Basic configuration step in SSO settings

From User attributes (or parameters), copy the following values and save them to a note:

  • email

  • firstName

  • lastName

  • phoneNumber

  • memberOf

User attributes or parameters step in SSO settings

Later you’ll finish configuring your Kobiton SSO settings so keep this browser window open.

Create a Ping Identity SSO Application

Log in to your Ping Identity admin account.

From the dashboard, choose the default Administrators environment or select another if needed.

Go to Applications, then select the plus icon to add a new app.

ping applications menu

On the setup screen, enter a name for your application, such as Kobiton SSO, and choose SAML Application as the application type.

ping add application first page

Select Configure, then select Manually Enter on the configuration page.

ping add application second page

Paste the following from your Kobiton settings:

  • Reply (or SSO, or ACS) URL into the Reply URL field

  • Entity ID (or Audience URL) into the Entity ID field

Save your changes and continue.

By default, the application is not enabled. You need to manually enable it.

ping enable application

Map Attributes and Download Certificate

Open your newly created application and navigate to the Attribute Mappings tab.

Select the edit icon and add the following mappings:

Kobiton Attribute PingOne Attribute

saml_subject

User ID (default)

email

Email Address

firstName

Given Name

lastName

Family Name

phoneNumber

Mobile Phone

memberOf

Group Names

ping attribute mappings

Next, go to the Overview tab and note down the following fields to fill in the Kobiton SSO settings later:

  • Issuer ID

  • Single Signon Service

  • Single Logout Service

ping overview

Download the Signing Certificate in X.509 PEM format.

ping download certificate

Rename the downloaded file to cert.pem.

Create a User and Group in Ping Identity

Create a new user in Ping Identity with the same email address as your Kobiton admin account.

Then create a group and assign this user to the group.

Return to the Ping SSO application, go to the Access tab, and click Edit.

Under Groups, select the group you just created and save your changes.

Refer to the Ping Identity guides on how to:

Add IdP parameters and certificate to Kobiton

Now, you’ll need to add your IdP parameters and certificate to your Kobiton organization. In your SSO Settings, scroll down to Set up at Kobiton side.

Scroll down to step Set up at Kobiton side

Add your IdP parameters and certificate to the following:

  • Identity provider issuer

  • Identity issuer URL

  • Identity provider sign in URL

  • Identity provider sign out URL (optional)

  • Identity provider certificate

    The Identity provider certificate must be a .pem file. If the certificate downloaded from the IdP has a different file extension (such as .cert), rename it to .pem before uploading.

See the below mapping table for which value to use for each parameter above.

Field name Value mapping

Identity provider issuer

Ping

Identity issuer URL

Issuer ID

Identity provider sign in URL

Single Sign-On Service

Identity provider sign out URL (optional)

Single Logout Service

Verify and save configuration

Make sure you have created an account with the same email as the currently logged in Kobiton account and assign the new SAML application to that user on the IdP side before continuing.

Select Verify to test your SSO configuration.

The Verify button under Verify Configuration

The system will open a new browser tab to the SSO login page. In this new tab, log in using the account that has the same email as the current Kobiton account.

If logged in successfully, go back to the previous browser tab with the SSO Settings opened.

Wait for a while for the SSO Settings page to automatically reload (do not force reload the page) and a success message displays like the below:

The success message under Verify Configuration

After receiving the success response, select Save to complete your SSO configuration.

After verifying and saving the configuration, you can turn on Enforce users to login to Kobiton only through SSO to force the users to log in only via SSO (optional).

When SSO login enforcement is turned on:

  • You can add existing users to be exempted from the SSO login enforcement by adding the username into the Choose users who are allowed to login without SSO field.

    The list of users that are exempted from the enforcement list when SSO enforcement is enabled

  • You also gain access to Specify Organization Access Restrictions with the ability to enable Pass role/team assignments to users in the SAML validations. Choose the method that’s best for your organization.

    The Specify Organization Access Restrictions step in SSO settings