PingOne Integration for Scalefusion Dashboard

Security Assertion Markup Language aka SAML simplifies federated authentication and authorization processes for users by implementing a secure method of passing user authentications and authorizations between the identity provider and service providers.

Scalefusion users can now be migrated to SAML based Sign-in. This capability makes Scalefusion application more robust in terms of security of its users in the arena of Mobile Device Management.

How does it Work

There are two main entities here - Identity Provider and Service Provider. In our case, Scalefusion is the Service Provider which needs authentication, and Identity Provider is the one which grants this authorization. We use Okta and PingOne as Identity Providers which perform the authentication for Scalefusion users.

When a user logs into a SAML enabled application (Scalefusion), it requests authorization from Okta/PingOne (whichever the user is subscribed to). Okta/PingOne authenticates the user, returns the authorization for the user to Scalefusion, and the user gets logged in to Scalefusion application.

There are few configurations that need to be done both at the end of Identity Provider (Okta/PingOne) as well as Service Provider (Scalefusion) which establishes a standardized communication between the two.

This document describes in detail all the steps to integrate Scalefusion with PingOne and make it SAML enabled.

Currently Integration is implemented only for Scalefusion Dashboard, not on client side

Before You Begin

  1. A valid Scalefusion Dashboard account
  2. A valid PingOne subscription

Steps

In a nutshell, following are the steps for SAML integration:

  1. Create Application on PingOne
  2. Configure SAML based Sign-In on Scalefusion Dashboard
  3. Add users on PingOne and Migrate Admins for SAML based Sign In

Step 1: PingOne SAML Setup for Scalefusion (Create SAML Integration)

Create Integration
  1. Sign In to PingOne
  2. Make sure you are in the Administrator environment (Check the top right corner of the page)
  3. On the top of the page, click Connections
  4. On the left, click Applications and then + Add Application
  5. Select Application type as Web App and Connection type as SAML. Click on Configure.
  6. This opens Create App Profile page. Enter the following information:
  • Application name: A unique identifier for the application. Enter Scalefusion as application name
  • Description (optional): A brief characterization of the application.
  • Icon (optional): A pictorial representation of the application. Use a file up to 1MB in JPG, JPEG, GIF, or PNG format.

Click Next

  1. Configure SAML - Create integration between Scalefusion and PingOne
  • ACS URLs - This URL is required and serves as the default ACS URL value for the Service Provider (SP), that is, Scalefusion.
This URL is available as Single Sign On URL on the Scalefusion dashboard Admins and Roles > Sign In Settings > Configure SAML Sign In

  • SIGNING CERTIFICATE - The certificate that confirms that requests, responses, and assertions actually came from the identity provider.
    • Select Sign Assertion & Response
    • Signing Algorithm - Select RSA_SHA256
  • Entity ID - The service provider's entity ID used to look up the application. Copy the Audience URI (SP Entity ID). It is available on the dashboard under Admins and Roles > Sign In Settings > Configure SAML Sign In > Audience URI (SP Entity ID).
  • SLO Endpoint and SLO Response Endpoint - Copy the respective URLs from the dashboard and paste here. SLO Response Endpoint is optional.
The SLO Endpoint and SLO Response Endpoint URLs will be displayed on Scalefusion Dashboard only when you select PingOne as SAML Provider.
  • SLO Binding - Choose HTTP POST
  • Assertion Validity Duration (In seconds) - The maximum amount of time that an assertion is valid (in seconds). The assertion validity duration must be between 60 and 3932100 seconds. For eg. Enter 60

Click Save and Continue

  1. Map Attributes - Here you provide access to your application for customers to authenticate.
  • PingOne User Attribute:  From the drop-down select Email address
  • Application Attribute: saml_subject

Click Save and Close.

The application is configured. For more information on creating application, please click here

Step 2: Configure SAML based Sign-In on Scalefusion Dashboard

Scalefusion IT Admins need to configure SAML settings inside Scalefusion so that they can migrate to use SAML. This is the main step that associates an organization's account with SAML authentication and also lets Admins control settings.

Prerequisites

Only Account Owner or Co-Account owner can configure SAML settings on Scalefusion dashboard.

Setup Instructions for Scalefusion Application

To configure settings on Scalefusion application certain details like Issuer URL, SSO/SLO Endpoint etc. are required. These are to be fetched from PingOne.

  1. On PingOne Admin Console, go to Applications
  2. You will see the application name Scalefusion (created above)
  3. Enable the application using toggle button on right and click on down arrow to expand it
  4. Go to Configurations tab. This contains all settings required for configuration

Configuration steps on Scalefusion Dashboard
  1. On Scalefusion Dashboard, navigate to Account Profile -> Admins and Roles -> Sign-in Settings
  2. Under Configure SAML Sign-In, enter the following:
    1. Select SAML provider: Select PingOne
    2. Issuer URL: It is the Issuer ID (from the Configuration page on PingOne). Copy it and paste here.
    3. SAML SSO Endpoint: It is the Single Sign-On Service (from the Configuration page on PingOne). Copy it and paste here
    4. SAML SLO Endpoint: It is the Single Logout Service (from the Configuration page on PingOne). Copy it and paste here
    5. X.509 Certificate: Upload the certificate. The X.509 certificate has to be downloaded from Configuration > SAML Settings.
      To download certificate, navigate to Configuration page on PingOne, click on SAML SETTINGS below CONNECTION DETAILS, click on Edit Icon and download the certificate with X509 PEM.crt format.
  3. Click Save
  4. You will get a confirmation box. Click OK
  5. You will be redirected to PingOne sign-in, for confirmation. Enter the Username and Password that you used to sign up on PingOne and do SAML Setup (Step>1). This will come up if you are not signed in to PingOne.
  6. Once the Authentication succeeds you will be redirected to the page for setting a PIN.
    Setting up PIN is a one-time step
  7. Creating a Security PIN: A security PIN helps in authorizing certain actions on Dashboard which will require a two-step confirmation. This helps in preventing accidental deletes/edits of important data from Dashboard. To create a Security PIN please complete the steps below,
  • Name: You can Add/Edit the name.
  • Phone Number: This is optional. Here you can edit the phone number.
  • Create New PIN/Confirm Pin: Choose a 6 digit PIN that will be required to authorize certain actions on Dashboard as and when required.
  • Click ACCESS DASHBOARD to complete the SAML setup.

Once the PIN is confirmed, the account is marked as SAML account.

  1. The user lands on Sign In Settings with a dialog to select the admin accounts which he wants to migrate to use SAML based sign in. The user can choose to MIGRATE or choose the option LATER. The screenshot below has Migrate button disabled because there are no admins available who can be migrated.

The SAML settings are successfully configured. On Sign In settings page you will see additional buttons to Disable SAML and Migrate Admins.

The next time whenever this user tries to Sign in he will not be asked to enter password because he is authenticated against the provider (PingOne). This is also indicated on the Scalefusion's Sign In screen where Password field is not there.

Migrate Admins to SAML based Sign In

Once an account admin chooses to migrate to SAML, there are options to migrate other admins post first time setup configuration. However they can choose to do it later as well.

Prerequisite

The admins which are being migrated, have access to Scalefusion app and they are added as users under PingOne

Adding Users on PingOne

The users whose accounts would be enabled for SAML sign in, need to be added in PingOne. To do so, follow these steps:

  1. On PingOne Admin Console, go to Identities
  2. This opens the Users section. Click on the button Add User. This opens the Add User window.
  3. Here, enter the required details like First Name, Last Name, username, password etc.
    User is required to enter this username and password for authentication when he signs in to Scalefusion after his account is configured for SAML.
  4. Click Save

Migrating Admins

There are two ways to migrate admins to SAML based Sign In:

Sign In Settings page
  1. Navigate to Admins and Roles > Sign In Settings
  2. Under Configure SAML Sign In, click on the button MIGRATE ADMINS
  3. A dialog box comes up showing all those admin accounts which can be migrated to SAML based sign in. Select the admin accounts that have to be migrated and click on Migrate

The admin gets migrated to SAML based Sign In.

Administrators section
  1. Navigate to Admins and Roles > Administrators
  2. Click on the action menu in front of the admin for which SAML based Sign In has to be enforced, and select Enforce SAML Sign In
  3. A dialog box comes up to ensure that the admin has access to Scalefusion app. Click Ok

SAML Sign in is enforced for the admin.

Note that in the action menu Reset Pin option comes up along with Edit and Delete

An admin's account can be made SAML enabled at the time of his account creation. This can be done by following these steps:

  1. Navigate to Admins and Roles > Administrators
  2. Click on ADD NEW ADMIN
  3. This opens the Add Admin dialog box. In Admin Types choose the option Allow Sign Up using SAML Sign In
  4. The Last Seen status for this admin will reflect as Not Logged In Yet until he signs in on Scalefusion Dashboard.

Disable SAML

To disable the SAML configuration,

Only Account Owner or Co-account owner can disable settings
  1. Navigate to Admins and Roles > Sign In Settings
  2. Under Sign In Settings click on the button DISABLE
  3. Following dialog box comes up asking you to set a password. This password would be used to sign in once SAML settings get disabled. Click Save after entering password.
SAML configuration for all related admin accounts (which have SAML Sign In enforced) also gets disabled. They will receive an email with the password to sign-in

Behavior for O365/GSuite users

GSuite or O365 users can also be migrated to SAML based configuration with the same process. Once migrated to SAML they will not be able to use any GSuite / O365 features. However, after disabling SAML configuration all the features can be used.

Two Factor Authentication

If two-factor authentication is enabled on an account and SAML is configured, then at the time of sign in

  1. The user is redirected to PingOne login page
  2. Once validation succeeds the user lands on Scalefusion's 2-Factor Authentication page where he would be required to enter verification code for authentication and then gets signed in.


How did we do?


Powered by HelpDocs (opens in a new tab)