Using PingOne SAML 2.0 to enable users to access Certero there are two parts, creating an app integration in the PingOne Identity console and configuring an Authentication Provider in Certero.

Information from one stage is required to complete the other stage, so please ensure no steps are missed.

Creating the Certero Authentication Provider

In the Certero Unified Platform navigate to Administration > Authentication Providers and click '+ New', use the drop-down to select 'SAML 2.0' as the 'Type', enter a name for the provider (i.e. 'PingOne SAML 2.0'). We now need to enter a temporary value for the 'Metadata Url' (i.e. 'Anything'), then enter an Application ID (this must match what is entered in the PingOne console in the steps below and must not contain spaces) and click 'Save'

Now right-click on the newly created authentication provider and select 'Actions > View Endpoints'

Click the copy button highlighted below.

Creating the PingOne App Integration

Login to the PingOne Identity console and select 'Connections' then 'Applications' from the menu and then click the plus button at the top of the page as highlighted in the image below.

Enter an Application Name (i.e. 'Certero') and select 'SAML Application' for the Application Type and click 'Configure' at the bottom of the page.

Now select 'Manually Enter' for the SAML Configuration and paste the URL from the 'View Endpoints' into the ACS URLs and enter the Entity ID (This must match the 'Application ID' entered when creating the Authentication Provider in the earlier steps, then click 'Save' at the bottom of the page.

Next, select the 'Attribute Mappings' tab and click the edit button

Then click the '+Add' button and enter ' http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ' in the Application Attribute and select 'Email Address' from the drop-down under the PingOne column and click 'Save' at the bottom of the page.

At this point, you have the opportunity to create any Policies should you require them, these are not a requirement for Certero integration.

Click on the 'Configuration' tab, copy the IDP Metadata URL and enable the application using the toggle on the top right of the page.

Creating the Certero Authentication Provider - part 2

Open the properties of the newly created authentication provider and paste the copied 'IDP Metadata URL' into the 'Metadata Url' and click 'Save'.

Logins can now be created by selecting 'External Account' and entering the user's email address in the 'Username'