Skip to main content
Eptura Knowledge Center

Integrate PingFederate with Azure AD

  1. Last updated
  2. Save as PDF

Level: Eptura Implementation team / Customer IT team

Eptura supports the integration with PingFederate and this article details how to configure the SSO. This article is written for Administrators and assumes familiarity with Ping and basic identity management concepts.

Contents

Prerequisites

Before configuring SCIM-based provisioning for Eptura, make sure you have an Azure AD to configure an IdP connection on PingFederate to enable the SSO login. Additionally, your Super Admin must be defined in the Azure AD with their First Name, Last Name and Email Address properties completed.

Step 1. Integrate PingFederate with Azure AD

Below are the steps for PingFederate integration.

Step 1.1 Create Azure EntraID App Registration for PingFederate Integration (Customer Team)

  1. Sign in to Microsoft Azure https://azure.microsoft.com/en-us/
Primary Domain Name
  1. From the menu, navigate to Microsoft EntraID > Overview.
  2. Copy the Primary domain name and paste this into a text editor as we will use this later in the steps.

clipboard_e2988236398461c23dd1f17dd7586265e.png

App Registrations
  1. From the menu, navigate to Manage > App Registrations.
  2. Click the New Registration button and the Register an application screen displays.

clipboard_eddac31c1c91e15bd35cc971326915e35.png

  1. In the Name field, enter the name for this app that will integrate this Azure instance with Eptura company’s Ping instance. For example PingFederation Integration.
  2. For the "Who can use this application or access this API? option, select Accounts in this organizational directory only - Single tenant.
  3. From the Redirect URI (optional) drop-down, select Web and note that the URI value will be set later on.
  4. Click the Register button and the application is registered.
Application (client) ID
  1. From the App registrations > Overview.
  2. Copy the Application (client) ID and paste this into a text editor as we will use this later in the steps.

clipboard_e1fb4deb7464325b647ebf7c1a99913a6.png

Endpoints

clipboard_e236e0c7d5928d79e5f8a8f0443afc4e4.png

  1. Click the Endpoints tab and the Endpoints form displays.
  2. Browse the list to find OpenId Connect metadata document.
  3. Copy the value and don't include the characters after /v2.0/ and paste this into a text editor as we will use this later in the steps.

clipboard_ec4f36303de1cdb70863c0d0b01462e8d.png

  1. Click the X icon to close the Endpoints form.  
Certificates & secrets
  1. From the menu, select Manage > Certifications & secrets.

clipboard_eb058614ba145e9f36515a0e285c77c87.png

  1. Click New client secret and the Add a client secret form displays.

clipboard_efebec42cc95077ef87bb52a7e8e14158.png

  1. In the Description field, enter a short description. For example pingsecret1.
  2. From the Expires drop-down, set the expiration to 730 days (24 months).
  3. Click the Add button and the application credentials are saved.

clipboard_e143273621c63577c8390ea2f6e8961af.png

A secret key will be generated; make sure you copy the secret key's value. We recommend that you keep a copy of the secret key in a secure location.

Remember to note the expiry date as this secret needs to be refreshed 30 days before the expiry and share this with Eptura.

Provide the following information to the Eptura Implementation team:

  • Primary domain name
  • Application (client) ID
  • OpenId Connect metadata document
  • Client secret value
Optional - Test the sync with the Eptura Platform Tenant 

If you want to test with a few users first, before syncing all AD users with Eptura.

  1. From the main menu, click Enterprise applications.
  2. Click the application name. For example PingFederateIntegration.
  3. From the menu, click Manage > Properties.
  4. For the Assignment required, click Yes.

When this is set to No, then all the AD Users will sync with Eptura.

clipboard_ee038d87d5841700b8c2d1692cd9036c6.png

Step 1.2 Get Redirect URIs from PingFederate (Implementation Team)

This step is performed by the Eptura Implementation Team.

Step 1.3 Create an IDP connection in PingFederate (Implementation Team)

This step is performed by the Eptura Implementation Team.

When done, Eptura provides the IdP Connection Redirect URI to the customer. 

Step 1.4 Optional - Cluster Management

This optional step is performed by the Eptura Implementation Team.

Step 1.5 Set Ping redirect URI in Azure Ping application (Customer Team)

  1. Sign in to Microsoft Azure https://portal.azure.com/
  2. Navigate to Microsoft EntraID.
  3. From the menu, select Manage > App Registrations.
  4. Click the All applications tab.
  5. Select the PingFederate application name you created.

clipboard_e5b9c5fba50091baff089bed8ab5683e3.png

  1. From the menu, select Authentication.

clipboard_e8e0d921253ee995322fb49acf333f3e0.png

  1. Click the + Add a platform button and the Configure platforms form displays.

clipboard_ec0d54aaa624ebc0d39de62f02a96c606.png

  1. Click the Web tile and the Configure Web form displays.

clipboard_e11d9f7cda0c2281192761079a3a157ec.png

  1. In the Redirect URIs field, paste in the IdP Connection Redirect URI. From Redirect URI (above).
  2. Click the Configure button.

clipboard_e41c0b2f66f5fa5072cc05345c0ac2aa7.png

Step 1.6 Redirect incoming requests to IdP in PingFederate (Implementation Team)

This step is performed by the Eptura Implementation Team.

Step 1.7 Add access token mapping in PingFederate (Implementation Team)

This step is performed by the Eptura Implementation Team.

Step 2. Sign in Eptura using a SSO user (Customer Team)

Learn how to sign in to Eptura - Authentication Methods using an SSO user or using Form Authentication where your user was created manually. 

Step 3. Integrate SCIM with User Directory (Customer Team)

Your IdP gets connected to the SCIM service, using the SCIM URL and SCIM token. When connected, the SCIM service will automatically import all user accounts that are in the your IdP. The attributes of the users in you IdP need to be mapped to SCIM. After the initial synchronization, additional synchronizations happen on a schedule of every 40 minutes. See the article, Configure SCIM provisioning for Microsoft Entra ID

Step 4. User Access to Eptura Applications

Users created in Okta are synchronized to Eptura as a person, you can change the access the user has to the Eptura's Product Applications, see Add, Edit, or Delete a Group.