Configure SSO with PingOne for Customers

This section explains how to configure Web Console Single Sign-On using your PingOne SAML app.

The PingOne admin UI changes periodically, and the official PingOne SAML 2.0 setup documentation is found here:
https://docs.pingidentity.com/bundle/pingone/page/xsh1564020480660-1.html

Create SAML App in PingOne

1. Log in to the PingOne for Customers Admin Portal.
2. Switch to the Administrators environment (not the End User Sandbox).
3. Click the Connections tab. 
   The Applications windows appear.
4. Click Add Application, then click the Advanced Configuration tile.
5. Under Choose Connection Type to the right of SAML, click Configure.
   The Create App Profile page appears. 
6. Enter your Application Name (for example, LogRhythm Web Console).
7. (Optional) Enter an Application Description (for example, LogRhythm Web Console SAML 2.0 App).
8. (Optional) Choose an icon, if desired.
9. Click Next. 
   The Configure SAML Connection page appears.
10. Enter the following parameters:
    

    • ACS URL. https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml

      Example ACS URLs

      https://lrwebconsole-denver.companyxyz.com:8443/saml

      https://lrwebconsole-denver:8443/saml

      https://10.51.19.217:8443/saml

      

      If your Web Console uses a port other than the default of 8443, enter your customized port number instead of 8443. For more information, see LogRhythm Web UI.

    • Signing Certificate. PingOne Certificate for Administrators environment

      • Click Download Signing Certificate.
      • Select format X509 PEM (.crt). Save this certificate to be used later.
      • The remaining values can be left as default.

    • Encryption. Leave Enable Encryption unchecked.

    • Entity ID. https://<FQDN_or_Hostname_or_IP_of_WebConsole>

      Example Entity IDs

      https://lrwebconsole-denver.companyxyz.com

      https://lrwebconsole-denver

      https://10.51.19.217

    • SLO Endpoint. Leave blank
    • SLO Response Endpoint. Leave blank
    • Assertion Validity Duration (in seconds). 60
    • Target Application URL. Leave blank
    • Enforce Signed Authn Request. Leave unchecked
    • Verification Certificate (Optional). None
11. Click Save and Continue.
    The SSO Attribute Mapping page appears.

12. Enter the following additional PingOne (not Static) Attributes:

    PingOne User Attribute	Application Attribute	Required
    Email Address	nameID	unchecked
    Given Name	firstName	unchecked
    Family Name	lastName	unchecked

13. Click Save and Close. 
    The Applications page appears.
14. Enable User Access to this Application by clicking the toggle button.
15. Click the Identities tab.
16. Add or enable the users who need to access the LogRhythm Web Console.
17. Your SAML app configuration is now complete.

Enable Single-Sign On in the LogRhythm Web Console (Admins Only)

1. Log in to the Web Console with an administrator account or with an account that has "SSO Management (Web Console)" and "Manage User Profiles" permissions..
2. In the upper-right corner, click the Administration drop-down icon, then click Single Sign-On.
   The Single Sign-On Configuration menu appears.
3. Click the Single Sign-On Enabled button. The menu expands to reveal configuration fields.

4. Enter the following parameters:

   

   If you want to choose a User Profile that is specific to newly-created SSO users, consider creating the desired User Profile in the SIEM before this step.

   Name	Description	Example Format
   Web Console Callback URL	The ACS URL from the PingOne Admin portal.	https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml
   Web Console Identifier (Entity ID)	The Entity ID from the PingOne Admin portal.	https://<FQDN_or_Hostname_or_IP_of_WebConsole>
   IdP Entry Point	Paste in this value from the PingOne Single Sign-on Service.
   IdP Certificate	The Signing Certificate you downloaded from the PingOne Admin portal (PingOne Certificate for Administrators environment).	Open the certificate in a text editor, and copy and paste the contents into this field.
   Default User Profile	The User Profile to be assigned via User Auto-Provisioning to new SSO users.

   

   If you do not see all of the expected User Profiles in the drop down menu, contact your SIEM administrator to make sure they have enabled your Manage User Profiles and Single Sign-On Management (Web Console) permissions.

5. Click Save. 

   

   While saving, your Web Console will temporarily disconnect and you will see either Reconnecting or Disconnected status in the upper-right corner.

   Refresh your browser if prompted to do so.

6. After your Web Console refreshes and the status shows Connected, your SSO for the Web Console is enabled.
7. In the upper-right corner, click the User drop-down icon, and then click Logout.