Configure SAML with Ping Identity
If you use Ping Identity as your SAML identity provider (IdP), you can use the information in this document to set up SAML authentication for your LMS.
These steps assume that you have permissions for modifying your organization’s Ping Identity portal.
Note: These steps reflect a third-party application and are subject to change without our knowledge. However, even if the steps described here do not fully match the screens you see in your IdP account, using these steps along with the IdP’s documentation should still enable you to configure the integration.
Step One: Begin Adding The Integration In The LMS
- While signed in to the LMS as an administrator, go to System > Integration > Single Sign-On (SSO) > SAML Sign-In
- Click the + Add An Integration button.
- Select Ping Identity from the list of SAML Identity provider.
- Keep this screen/tab open for now as we will refer to it later.
Figure 1: Add A New Integration Screen in The LMS
Step Two: Adding The LMS To Your Ping Identity Applications
- In a new tab/window, access Ping Identity.
- In Ping Identity, select the environment you would like to add the the LMS application to.
- Go to Coonections > Add Application.
- Click on the Web App application type, then click the Configure button next to the SAML option.
Figure 2: Ping Identity > Add SAML Application
- Edit the Application Name, entering My LMS.
- Accept other default values for now and click Next.
- Keep this screen/tab open for now as we will refer to it later.
Step Three: Add Service Provider Details To Ping Identity
In this step, we’ll define the service provider values that Ping Identity will need to identify your app.
- On the Add A New Integration screen in the LMS, go to the Service Provider Details section.
- In Ping Identity, under Provide App Metadata, select the option to Manually Enter.
- Copy values from the LMS into the Ping Identity fields as shown below.
| Copy LMS Field Value | to | Ping Identity Configuration Tab Field |
|---|---|---|
| Entity ID | > | Entity ID |
| Assertion Consumer Service / SSO Service | > | ACS URLs |
| Single Logout Service | > | SLO Endpoint |
- Set Subject NameID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- Set Assertion Validity Duration to 180.
- Leave all other values as is and click Save & Continue.
Step Four: Defining User Attributes
In this step, we’ll define the information about the user (id, email address, first name, last name) that need to be passed to the LMS.
- In Ping Identity, click the Add Attibute link and select PingOne Attribute.
- In the Pingone User Attribute dropdown, select User ID.
- Under Application Attribute enter "uuid" (without quotations).
- Repeat this sequence three more times, using the fields/values below.
| Pingone User Attribute | > | Application Attribute |
|---|---|---|
| Email Address | > | emailAddress |
| Given Name | > | firstName |
| Family Name | > | lastName |
Note: Even though Ping Identity may provide additional user data that can be passed as parameters, only the paramters listed above are compatible with the LMS; all other values will be ignored.
Step Five: Add Identity Provider Details To The LMS
In this step, you'll provide the LMS with the SAML Identity provider values it needs to communicate with Ping Identity.
- In the Ping Identity Application listing, click on the Configuration tab for the application you just created.
- Copy values from the Configuration tab and paste them into the Identity Provider Details section of the LMS, as shown below.
| Copy Configuration Tab Field Value | to | LMS Field Value |
|---|---|---|
| Issuer ID | > | Entity ID / Issuer URL |
| Single Signon Service | > | SAML 2.0 Endpoint / SSO URL |
| Download Metadata > Open In Text Editor > X509Certificate | > | X.509 Certificate |
After copying values from the SSO tab into the Identity Provider Details section of the LMS, it should look something like this:
Figure 3: LMS Identity Provider Details
Step Six: Finshing Up & Testing
Enable the application in Ping Identity by the toggle button to the right of the application title. At this point you've completed all the necessary
steps to configure the LMS application in Ping Identity.
In the LMS, on the Add A New Integration screen, finish configuring the User Login settings and then click Save
to save the integration in the LMS.
To test your new integration, you'll need to give users access to your new application in Ping Identity before using the newly generated LMS login
link for this integration. For more information on granting users access to your application via Ping Identity, please refer to the IdP's documentation.