Configure SSO with PingOne for Enterprise

This section explains how to configure Web Console Single Sign-On using your PingOne SAML app.

The PingOne admin UI changes periodically, and the official PingOne SAML 2.0 setup documentation is found here:
https://docs.pingidentity.com/bundle/pingone/page/xsh1564020480660-1.html

Create SAML App in PingOne

1. Login to the PingOne Admin Portal.
2. Click the Applications tab.
3. Under My Applications, click Add Application, then click New SAML Application.
   The Application Details page appears.
4. Enter your Application Name (for example, LogRhythm Web Console).
5. Enter your Application Description (for example, LogRhythm Web Console SAML 2.0 App).
6. In the Category field, choose Compliance.
7. Click Continue to Next Step.
   The Application Configuration page appears.
8. Enter the following parameters:
   
   • Select I have the SAML configuration.
   • Signing Certificate. PingOne Account Origination Certificate
   • Protocol Version. SAML 2.0 

   • Assertion Customer Service (ACS). https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml

     Example ACS

     https://lrwebconsole-denver.companyxyz.com:8443/saml

     https://lrwebconsole-denver:8443/saml

     https://10.51.19.217:8443/saml

     

     If your Web Console uses a port other than the default of 8443, enter your customized port number instead of 8443. For more information, see LogRhythm Web UI.

   • Entity ID. https://<FQDN_or_Hostname_or_IP_of_WebConsole>

     Example Entity IDs

     https://lrwebconsole-denver.companyxyz.com

     https://lrwebconsole-denver

     https://10.51.19.217

   • The remaining values can be left as default.
9. Click Continue to Next Step. 
   The SSO Attribute Mapping page opens.

10. Enter the following parameters:

    Application Attribute	Identity Bridge Attribute or Literal Value	Required
    firstName	First Name	unchecked
    lastName	Last Name	unchecked

11. Click Continue to Next Step.
    The Group Access page appears.
12. Choose or search for the appropriate user group(s) who need to have Web Console SSO access.
13. Click Add.
14. Click Continue to Next Step.
    The Review Setup page appears.
15. The Issuer field contains the PingOne URL. Copy the PingOne URL to your clipboard. You will need it to replace the value WillNeedToEditLater in a later step.
16. Click Edit.
    The Application Details page appears.
17. Do not make any changes, and click Continue to Next Step.
    The Application Configuration page appears.
18. In the Entity ID field you will see the value WillNeedToEditLater. Replace this value with the PingOne URL you copied from the Issuer field in an earlier step.
19. Click Continue to Next Step three times to advance to the Review Setup page.
    The Review Setup page appears.
20. Confirm that the Issuer and Entity ID fields contain the same value.
21. Copy the values from the following fields, and paste the values to a temporary location:
    1. Entity ID
    2. Initiate Single Sign-On (SSO) URL (entry point)
22. Download the Signing Certificate, and open it in a text editor.

Enable Single-Sign On in the LogRhythm Web Console (Admins Only)

1. Log in to the Web Console with an administrator account or with an account that has "SSO Management (Web Console)" and "Manage User Profiles" permissions.
2. In the upper-right corner, click the Administration drop-down icon, then click Single Sign-On.
   The Single Sign-On Configuration menu appears.
3. Click the Single Sign-On Enabled button. The menu expands to reveal configuration fields.

4. Enter the following parameters:

   

   If you want to choose a User Profile that is specific to newly-created SSO users, consider creating the desired User Profile in the SIEM before this step.

   Name	Description	Example Format
   Web Console Identifier (Entity ID)	The Entity ID you copied from the PingOne Admin portal.
   Web Console Callback URL	The URL containing the FQDN, hostname, or IP address of the Web Console	https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml
   IdP Entry Point	The Initiate Single Sign-On (SSO) URL (entry point) you copied from the PingOne Admin portal.
   IdP Certificate	The Signing Certificate you downloaded from the PingOne Admin portal.	Open the certificate in a text editor, and copy and paste the contents into this field.
   Default User Profile	The User Profile to be assigned via User Auto-Provisioning to new SSO users.

   

   If you do not see all of the expected User Profiles in the drop down menu, contact your SIEM administrator to make sure they have enabled your Manage User Profiles and Single Sign-On Management (Web Console) permissions.

5. Click Save. 

   

   While saving, your Web Console will temporarily disconnect and you will see either Reconnecting or Disconnected status in the upper-right corner.

   Refresh your browser if prompted to do so.

6. After your Web Console refreshes and the status shows Connected, your SSO for the Web Console is enabled.
7. In the upper-right corner, click the User drop-down icon, and then click Logout.