All Collections
User Management
Single Sign On
Configuring Single Sign On with Ping Identity
Configuring Single Sign On with Ping Identity
Michael Fatica avatar
Written by Michael Fatica
Updated over a week ago

This article describes setting up single sign-on (SSO) with Ping Identity's PingOne product. This feature must be enabled in your account by a MetaLocator support technician in order to function as shown in this article.

Configuring Ping Identity

Step 1. Create a new Application within PingOne.

Step 2. Choose Manually Enter

Step 3. Obtain your ACS URL

Login to MetaLocator as the Account Owner and obtain the User ID as shown below


The ACS URL will be

https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?acs&id=XXXXX
โ€‹
Where XXXXX is your primary Account Owner's User ID as obtained above.

Entity ID is

metalocator-saml

Under Attribute Mappings, configure the application as shown below:

Configuring MetaLocator

Login as the Account Owner

Important: This must be done in the Owner account. There is only one Owner account for a given customer. Your owner account will be indicated as Owner as shown below:

Go to My User Profile as shown below:

Scroll down and expand Show Advanced Options, then update the following options according to your PingOne settings.

onelogin_saml_idp_domain

Set this to the domain associated with your email address, e.g. customer.com. This ensures that the anonymous link on our login form knows which SSO to invoke based on an incoming email.

Users will be created on the fly based on the email address coming from Okta. The accounts will be created as "blocked" accounts with no access to any MetaLocator features. The requesting user will receive an email notification that their account is pending review and the account owner will receive an email notification that an account is pending review as shown below:

Click the link provided and login as the account owner. Click the username to edit the user. Choose an appropriate user type:

Click Save, then enable the user as shown below. This triggers an email notification to the new SSO user indicating that their login has been enabled.

The email notification is shown below.

When the user logs in, they will now see the resources available to them, based on the type of user chosen above.

Name ID format

If required, the Name ID format is:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Related Articles
Configuring Single Sign On with SalesForce
Configuring Single Sign On with OKTA
Configuring Single Sign On with Microsoft Azure
Mapping user groups and types with SSO
Configuring Single Sign On Only
Did this answer your question?