Enable SSO for Eptura User

Last updated
Save as PDF

Level: Eptura Implementation team / Client IT team

Eptura supports the integration with Ping and this article details how to configure the SSO. This article is written for Administrators and assumes familiarity with Ping and basic identity management concepts.

Contents

Prerequisites
Step 1. Integrate PingFederate with Azure AD
Step 2. Sign in Eptura using a SSO user (Client Team)
Step 3. Integrate SCIM with User Directory (Client Team)
Step 4. User Access to Eptura Applications

Prerequisites

Before configuring SCIM-based provisioning for Eptura, make sure you have an Azure AD to configure IDP connection on Ping to enable the SSO login. Additionally, your Super Admin must be defined in the Azure AD with their First Name, Last Name and Email Address properties completed.

Step 1. Integrate PingFederate with Azure AD

Below are the steps for PingFederate integration.

Step 1.1 Create Azure EntraID App Registration for PingFederate Integration (Client Team)

Primary Domain Name

From the menu, navigate to Microsoft EntraID > Overview.
Copy the Primary domain name and paste this into a text editor as we will use this later in the steps.

App Registrations

From the menu, navigate to Manage > App Registrations.
Click the New Registration button and the Register an application screen displays.

In the Name field, enter the name for this app that will integrate this Azure instance with Eptura company’s Ping instance. For example PingFederation Integration.
For the "Who can use this application or access this API? option, select Accounts in this organizational directory only - Single tenant.
From the Redirect URI (optional) drop-down, select Web and note that the URI value will be set later on.
Click the Register button and the application is registered.

Application (client) ID

From the App registrations > Overview.
Copy the Application (client) ID and paste this into a text editor as we will use this later in the steps.

Endpoints

Click the Endpoints tab and the Endpoints form displays.
Browse the list to find OpenId Connect metadata document.
Copy the value and don't include the characters after /v2.0/ and paste this into a text editor as we will use this later in the steps.

Click the X icon to close the Endpoints form.

Certificates & secrets

From the menu, select Manage > Certifications & secrets.

Click New client secret and the Add a client secret form displays.

In the Description field, enter a short description. For example pingsecret1.
From the Expires drop-down, set the expiration to 730 days (24 months).
Click the Add button and the application credentials are saved.

A secret key will be generated, make sure you copy the secret key's value. We recommended that you keep a copy of the secret key in a secured location.

Rememberer to note the expiry date as this secret needs to be refreshed 30 days before the expiry and share this with Eptura.

Provide the following information to the Eptura Implementation team:

Primary domain name
Application (client) ID
OpenId Connect metadata document
Client secret value

Optional - Test the sync with the Eptura Platform Tenant

If you want to test with a few users first, before before syncing all AD users with Eptura.

From the main menu, click Enterprise applications.
Click the application name. For example PingFederateIntegration.
From the menu, click Manage > Properties.
For the Assignment required, click Yes.

When this is set to No, then all the AD Users will sync with Eptura.

Step 1.2 Get Redirect URIs from PingFederate (Implementation Team)

Sign in to PingFederate https://ssoadmin.epturacloud.com/render/pingfederate/app
Click the Applications tab.

When you are onboarded there will be 3 clients automatically created:

Client ID and Client Name has the suffix _epturaPFHost (This is your Ping Application.)
Client ID and Client Name has the suffix _tenantAppService
Client ID and Client Name has the suffix _scimUsers

Step 1.3 Create an IDP connection in PingFederate (Implementation Team)

Click the Authentication tab.
Click the IdP Connections tile and the IdP Connections screen displays.

Scroll down the page and click the Create Connection button. The IdP Connections screen displays.

Check the Browser SSO Profiles check box.
From the Protocol drop-down, select OpenID Connect.
Click the Next button.

Check the OAuth Attribute Mapping check box.
Click the Next button and General Info tab displays.

The General Info tab is where you will use the information the customer provided (above).

In the Issuer field, enter the truncated value that you saved of the OpenId Connect metadata document value from Endpoints (above).
Click the Load Metadata button and will see the message, “Metadata successfully loaded. The issuer was updated to match the `iss` value from the discovery endpoint.”
In the Connection Name field, enter the Primary Domain Name from Primary Domain Name (above).
In the Client ID field, enter Ping Application (client) ID from Application (client) ID (above).
In the Client Secret field, enter the Client Secret from Certificates & Secrets (above).

Click the Next button and the Browser SSO tab displays.
Click the Configure Browser SSO button.

Click the Configure User-Session Creation button and User-Session Creation screen displays.

Click the Identity Mapping tab.

Select the No Mapping option, because the connection will be used within an authentication policy.
Click the Next button.

Scroll to the end of the screen.

Add the following attributes:
- family_name
- given_name
Click the Done button and the Browser SSO screen displays.

Click the Next button to display the OAuth Attribute Mapping screen.

Click the Configure OAuth Attribute Mapping button.

For the USER_KEY's Source drop-down, select Provider Claims and from the Value drop-down, select preferred_username.
For the USER_NAME's Source drop-down, select, Provider Claims and from the Value drop-down, select preferred_username.
Click the Next button to display the Inssuance Criteria tab.
Click the Next button to display the Summary tab.
Click the Done button to display the Browser SSO screen.

Click the Next button to display the Protocol Settings tab.
Click the Next button to display the Summary tab.
Click the Done button to display the IdP Connection screen.

Click the Next button to display the Activation & Summary tab.

Redirect URL

This displays the Redirect URI and this starts with https:// and ends with .openid

Copy the URI and paste it into a Text Editor.
Replace localhost with the Ping host based on your Eptura tenant’s environment.

Scroll to the end of the screen.
Click the Save button.

The connection is created and activated and you will see it in the list of IdP Connections.

Provide the IdP Connection Redirect URI to the customer.

Step 1.4 Optional - Cluster Management

This needs to be done only if the Cluster Management warning is visible on the PingFederate console.

From the note, click the Cluster Management link.

Click the Replicate button and this displays the message " Cluster node notified of new configuration".

Step 1.5 Set Ping redirect URI in Azure Ping application (Client Team)

Sign in to Microsoft Azure https://portal.azure.com/
Navigate to Microsoft EntraID.
From the menu, select Manage > App Registrations.
Click the All applications tab.
Select the PingFederate application name you created.

From the menu, select Authentication.

Click the + Add a platform button and the Configure platforms form displays.

Click the Web tile and the Configure Web form displays.

In the Redirect URIs field, paste in the IdP Connection Redirect URI. From Redirect URI (above).
Click the Configure button.

Step 1.6 Redirect incoming requests to IdP in PingFederate (Implementation Team)

Sign in to PingFederate https://ssoadmin.epturacloud.com/render/pingfederate/app
Click the Authentication tab.
From the menu, click Policies > Selectors.

Click the HttpRequestDomainSelector instance name.
Click the Selector Result Values tab.
Scroll to the end of the screen
In the Results Value field, enter the primary domain.
Click the Add button.
Click the Save button.

Remember if you see the Cluster Management message then you need to complete the replication, see Step 1.4 Optional - Cluster Management.

Next, you will find the domain in a policy and define what will happen if a login attempt to that domain fails or succeeds.

Click the Authentication tab.
From the menu, click Policies.

Scroll down to the policy.
Click DomainSelectorPolicy.
Scroll down and under the HttpRequestDomainSelector there will be a list of the existing domains.

Locate your domain and click the drop-down.

From the drop-down, select the IdP Connection.
Either browse the list or search for your domain name.
Select the domain name.

Next, complete the Fail and Success for your connection.

For Fail, click Done and this is set to Done.
For Success, click Done and this is set to Done.

Click the Save button.

Remember if you see the Cluster Management message then you need to complete the replication, see Step 1.4 Optional - Cluster Management.

Step 1.7 Add access token mapping in PingFederate (Implementation Team)

Click Applications tab.
From the menu, click OAuth > Access Token Mappings.
Scroll down the screen.

From the Context drop-down, select your IDP connection.
From the Access Token Manager drop-down, select Default Access Token Management.
Click the Add Mapping button.

Click the Add Attribute Source button.

In the Attribute Source Id field, enter userCustomClaimSource.
In the Attribute Source Description field, enter userCustomClaimSource.
From the Active Data Store drop-down, select shared-auth-service-ds.
Click the Next button and the Configure Data Source Filters tab displays.

Scroll down to the Body.
In the Body field, paste the JSON code.

{ "data": { "cid": "${context.ClientId}", "login": 
"${idp.preferred_username}", 
"firstName": "${idp.given_name}", 
"lastName": "${idp.family_name}" } }

Click the Next button.
Click the Save button.

You will see messages that some mappings are required.

Scroll down to the mappings.
Complete the following mappings:

Contract	Source	Value
firstname	Idp Connection	given_name
lastname	Idp Connection	family_name
platform_domain	Other (userCustomClaimSource)	platform_domain
platform_env	Other (userCustomClaimSource)	platform_env
platform_namespace	Other (userCustomClaimSource)	platform_namespace
products	Other (userCustomClaimSource)	products
session_id	Other (userCustomClaimSource)	session_id
sub	Idp Connection	preferred_name
super_user	Other (userCustomClaimSource)	super_user
tenant_id	Other (userCustomClaimSource)	tenant_id
user_id	Other (userCustomClaimSource)	user_id

Click the Next button the Issuance Criteria tab displays.
Click the Next button the Summary tab displays.
Click the Save button.

Remember if you see the Cluster Management message then you need to complete the replication, see Step 1.4 Optional - Cluster Management.

Step 2. Sign in Eptura using a SSO user (Client Team)

Learn how to sign in to Eptura - Authentication Methods using a SSO user or using Basic Auth where your user was created manually.

Step 3. Integrate SCIM with User Directory (Client Team)

Your IdP gets connected to the SCIM service, using the SCIM URL and SCIM token. When connected, the SCIM service will automatically import all user accounts that are in the your IdP. The attributes of the users in you IdP need to be mapped to SCIM. After the initial synchronization, additional synchronizations happen on a schedule of every 40 minutes. See the article, Configure SCIM provisioning for Microsoft Entra ID

Step 4. User Access to Eptura Applications

Users created in Microsoft Azure are syned to Eptura as a person, you can change the access the user has to the Eptura Applications, see Add, Edit, or Delete a Group.