SAML SSO Integration Guide

Setting Up and Managing Single Sign-On

Single Sign-On (SSO) enables users to reduce the number of logins they must perform from a single machine. When SSO is in use, an Identity Provider (IdP) – a central login-management system – works in conjunction with various Service Providers (SPs) to control user access to the SPs’ applications. Users log into the IdP rather than into individual SPs or applications. Then, when they access any of the applications of the managed SPs, the IdP logs them in automatically.

ControlUp Insights has incorporated SSO support, enabling users to access Insights without logging into it directly, once they have logged into a supported IdP. At present, only the SAML 2.0 protocol is supported.

Note: Currently, only logins to websites are supported. Because ControlUp’s Console is not web-based, the Console does not support SSO at this time. In addition, if the SSO option is activated for Insights, links in the Console that would normally open Insights are disabled.

In order to set up SAML 2.0 SSO for Insights, settings in both Ping and Insights must be configured, as explained below. Part of the setup process entails copying values from Ping to Insights’ settings, and vice versa. It is recommended to begin with the Ping settings.

Once the SAML 2.0 SSO is enabled, users (other than the user with the “Owner” role, as explained below) can no longer log into Insights from the URL they previously used (https://insights.controlup.com/). Instead, they must use the Ping URL that appears in the Insights SAML 2.0 SSO settings, under Service Provider Login URL.

Note: Any user configuration done in Insights prior to SAML integration is not saved for SAML logins (such as: Bookmarks, Home page, Top Insights customization, Time Zone). Every configuration done when logging in to Insights using SAML will be saved for future sessions. It is recommended that upon logging in to Insights with SAML for the first time, the user will reconfigure Insights to suit its needs.

Note: Although Ping also supports Single Logout (SLO), Insights does not support this option. Thus, users remain logged into Insights until they either manually log out, or are logged out by Insights automatically because of inactivity (after 15 minutes). Similarly, when they are logged out of Insights, they are not automatically logged out of other Ping SPs.

Configuring Single Sign-On for Insights on Ping

Before you can set up SSO for Insights on Ping, you must have a PingFederate server set up and running in your organization. The instructions below explain how to add ControlUp Insights to an existing PingFederate server. For information about setting up and working with PingFederate, please refer to the Ping Identity website (https://www.pingidentity.com).

• To add ControlUp Insights to a PingFederate server:

1. In the PingFederate Identity Provider screen, select Create New. The Connection Template tab opens.

Identity Provider screen

2. Select Next repeatedly until the General Info tab opens.

General Info tab

3. Fill in the fields as follows:

Field	Description	Example
Partner's Entity ID (Connection ID)	Unique identifier of the connection Enter a meaningful name for the new connection.	Dudi Production Lab
Connection Name	Name of the connection It is recommended to enter the same name as in the preceding field.	Dudi Production Lab
Virtual Server IDs	Enter a name, and then select Add. It is recommended to enter the same name as in the preceding field, in the following format: https://[Connection Name]. Note: This value must be copied into the Insights SAML settings, under Virtual Server IDs.	https://dudiproductionlab

 

4. Select Next. The Browser SSO tab opens.

Browser SSO tab

5. Select Configure Browser SSO. The Browser SSO screen opens with the SAML Profiles tab displayed.

SP Connection | Browser SSO > SAML Profiles tab

6. Select both IdP-Initiated SSO and SP-Initiated SSO.

Note: Insights does not support SLO (Single Log Out); selecting it here will have no affect.

7. Select Next The Assertion Creation tab opens.

SP Connection | Browser SSO > Assertion Creation tab

8. Select Configure Assertion Creation. The Assertion Creation screen opens with the Identity Mapping tab displayed.
9. Select Next The Authentication Source Mapping tab opens.

SP Connection | Browser SSO | Assertion Creation > Authentication Source Mapping tab

10. Select Map New Adapter Instance. The IdP Adapter Mapping screen opens, with the Adapter Instance tab displayed.

SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Adapter Instance tab

11. Under Adapter Instance, select the IdP adapter instance to use for user authentication.
12. Select Next repeatedly until the Attribute Contract Fulfillment tab opens.

SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Attribute Contract Fulfillment tab

13. Under Source and Value, select the required values for your environment.

Note: For additional information, please refer to the PingFederate documentation.

14. Select Next. The Issuance Criteria tab opens.

SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Issuance Criteria tab

15. Optional: Configure the fields as appropriate for each condition you want to create; select Add for each condition.

Note: For additional information, please refer to the PingFederate documentation.

16. Select Next or Done repeatedly until the initial screen (Identity Provider) appears with the SP connection you created listed in it.

Identity Provider screen with the new SP connection listed

17. Select the newly created SP connection. The Browser SSO screen opens with the SAML Profiles tab displayed.
18. Select Next repeatedly until the Protocol Settings tab opens.

SP Connection | Browser SSO > Protocol Settings tab

19. Select Configure Protocol Settings. The Assertion Consumer Service URL tab opens.

SP Connection | Browser SSO | Protocol Settings > Assertion Consumer Service URL tab

20. Fill in the fields as follows:

Field	Description
Index	Enter an index to identify the assertion URL.
Binding	Select POST. Note: For security reasons, the only supported binding type is POST.
Endpoint URL	The Insights assertion URL; the URL to which the IdP should respond to queries from Insights. Note: When you set up SAML SSO in Insights, this value is generated by Insights, and appears in the Insights SAML settings in the Assertion URL field. You must then copy it, return to this screen, and paste it into this field. You may find it easiest to simply stop configuring the Ping settings at this point, and follow the instructions below for configuring Insights. You can then copy this value from there, return to this location to enter it here, and continue with the Ping configuration.

 

21. Select Add. The Insights assertion URL is added to the list, and selected as the default.
22. Select Next. The Allowable SAML Bindings tab opens.

SP Connection | Browser SSO | Protocol Settings > Allowable SAML Bindings tab

23. Select POST.

Note: For security reasons, the only supported binding type is POST.

24. Click Next. The Signature Policy tab opens.

SP Connection | Browser SSO | Protocol Settings > Signature Policy tab

25. Check both options shown in the screenshot above.
26. Select Next. The Encryption Policy tab opens.

SP Connection | Browser SSO | Protocol Settings > Encryption Policy tab

27. Select None.
28. Select Next or Done repeatedly until the Browser SSO tab appears.

SP Connection > Browser SSO tab

29. Select Next. Credentials tab opens.

SP Connection > Credentials tab

30. Select Configure Credentials. The Digital Signature Settings tab opens.

SP Connection | Credentials > Digital Signature Settings tab

31. Under Signing Certificate, select the IDP certificate.

Note: The certificate string must be copied into the Insights SAML settings, under X.509 Certificate.

32. Select Next. The Signature Verification Settings tab opens.

SP Connection | Credentials > Signature Verification Settings tab

33. Click Manage Signature Verification Settings. The Trust Model tab opens.

SP Connection | Credentials | Signature Verification > Trust Model tab

34. Select “Unanchored”.
35. Click Next. Signature Verification Certificate tab opens.

SP Connection | Credentials | Signature Verification > Signature Verification Certificate tab

36. Load the SP certificate (request from ControlUp support) and select it.
37. Select Next or Done repeatedly until the initial screen (Identity Provider) appears.

Setting Up Single Sign-On in Insights

In order to set up SAML 2.0 SSO for your organization’s Insights site, you must log into Insights with a user account that has the Owner role (the user who created the organization).

• To set up SAML 2.0 SSO in Insights:

1. Install and set up the PingFederate server in accordance with Ping Identity’s instructions, and configure it for Insights as explained above.
2. Log into Insights with a user account that has the Owner role.
3. In the Insights screen, in the upper-right corner, select your user name. A dropdown menu opens.

Select your user name to open the dropdown menu

Dropdown menu open

Note: If the user account with which you are logged into Insights does not have the Owner role, the Single Sign-On (SAML) option does not appear in this menu.

4. In the menu, select Settings, and then select Single Sign-On (SAML). The Single Sign-On (SAML) Settings dialog box opens.

Single Sign-On dialog box

5. At the upper-left of the dialog box, select the Enable SAML (SSO) Authentication The required fields become available.
6. Copy the following values from the Ping configuration and enter them into the fields of the same names in the Single Sign-On (SAML) Settings dialog box:

 

Value in Ping	Field In Insights SSO Settings	Description
X.509 Certificate	X.509 Certificate	The signing key of the SAML IdP, including the keywords -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Assertion URL	SSO Application Endpoint	The URL for logging into the IdP
Virtual Server IDs	Virtual Server IDs	The virtual server IDs configured in the IdP’s connection identifier

The Save button becomes active.

 

Required fields filled in

7. Copy the value that appears under Assertion URL to the Endpoint URL setting in the Ping configuration. (This is the URL to which the IdP should respond to queries from Insights.)
8. Select Save. SAML 2.0 SSO is implemented throughout the organization. Users in your organization should access Insights through the URL that appears under Service Provider Login URL.

Note: Links in the ControlUp Console that would normally open Insights will no longer work from this point on. Beginning with Console version 7.3, after the user’s next login, these links will appear in the Console as disabled.

Managing Single Sign-On Settings

Once SAML 2.0 SSO is enabled in your organization, modifications to the SAML 2.0 SSO settings, and disabling of the feature, can only be performed by the ControlUp user with the Owner role. In order to do so, the Owner must access Insights from its original URL (https://insights.controlup.com/), using the user name and password under which the SAML 2.0 SSO settings were last configured.

Note:   If you need to change the SAML 2.0 SSO settings, but you cannot log into the original Owner user account for some reason, please contact ControlUp support.

• To modify the SAML 2.0 SSO settings in Insights:

1. Log into Insights at its original URL, and open the Single Sign-On (SAML) Settings dialog box as explained above.
2. Modify the values as required.
3. Select Save.

• To disable SAML 2.0 SSO in Insights:

1. Log into Insights at its original URL, and open the Single Sign-On (SAML) Settings dialog box as explained above.
2. Clear the Enable SAML (SSO) Authentication
3. Select Save.