Skip to main content
Version: v2.7 print this page

PingOne Identity SSO

Amazon Cognito integrates with PingOne to enable existing users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with PingOne as an identity provider.

What is Single Sign-On?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like PingOne. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.

Amorphic username convention

Due to the variety of systems Amorphic integrates with, Amorphic requires strict rules to be enforced for its usernames. Failure to follow the required rules may lead to Amorphic users not being able to login as intended. These rules required for Amorphic are conventional rules required for AD integration from other systems, and follow best practices.

The requirement for the usernames are as follows:

  • The usernames must be unique for different users
  • Usernames are integrated with access to datasets and resources, and as such cannot change
  • Should not start with a number
  • Should be only alphanumeric, no special characters are permitted
  • Username can contain both lowercase and uppercase alphabets
  • Should have a minimum of 3 characters and should not exceed 20 characters
info

It should be noted that any and all transformations used to convert the username in the SSO provider to the Amorphic username should produce a username compliant with the Amorphic username convention specified above. For example, if you have a username like John_Doe@email.com and the transformation results in JohnDoe or JohnDoe123, this is compliant with the rules. However, if the transformation results in John_Doe or 123John, it would violate the rules (since special characters or starting with a number are not allowed). If you have such IDs, it is recommended to create a new field with an Amorphic compliant username format and use that as the Amorphic username.

Pre-requisites for PingOne Identity Provider

Before we proceed with the PingOne IDP setup, we need the following pre-requisites:

  1. PingOne account - https://console.pingone.com/
  2. Amazon AWS account
  3. A Cognito user pool with an application client and a user pool domain

Steps to register Amorphic app with PingOne

  • Create an application within the PingIdentity admin console
  • Get IDP Metadata URL & Initiate Single Sign-On URL

Create an application within the PingIdentity admin console

  1. Login to PingIdentity Application using this link.

  2. Select your environment & click on ConnectionsApplications. Create a new WEB-APP application with Connection Type as SAML. Provide Application Name and Description.

image

  1. Configure SAML Connection: Select Manually Enter & also fill up below details:

    Provide ACS URL: You will receive ACS URL from Amorphic team post initial deployment. ACS URL consists of:- Cognito Domain Name + SAML2/IDPResponse Eg. https://<your_domain_name>.auth.<region>.amazoncognito.com/saml2/idpresponse

    Provide EntityID: You will receive EntityID from Amorphic team post initial deployment. Entity ID Consists of cognito user pool id. Eg. urn:amazon:cognito:sp:<cognito_user_pool_id>

    Assertion Validity Duration in seconds: This is SAML Assertion request validity, you can put as 60-120 seconds. Leave rest as default - Save and Continue.

image

  1. Edit Attribute Mappings in application tab as shown below:

image

Note

All attributes must be configured as how it is shown & they are case sensitive. Amorphic uses application attributes for specific features within the application, any modification or changes to attributes may break the application.

Note

Amorphic application roles access grant/revoke can be managed from PingIdentity groups. Add a mapping attribute(OPTIONAL) in the PingIdentity application created as shown below: image

  1. Save & Close. User can now view the application in the application list and manage the Policies & Access.
Note

A user should have appropriate roles assigned to him. Applications can be associated with groups and users can be assigned to the group to access the Amorphic application.

Get IDP Metadata URL & Initiate Single Sign-On URL

  1. In order to finish the SAML Integration between Amorphic Application and PingIdentity, Amorphic team would require IDP Metadata URL and Single SignOn URL.

  2. Go to Applications → Configurations → Connection Details

  3. Get IDPMetaDataURL & Initiate Single SignOn URL without query parameters [Get the URL leaving everything after ?]

image

  1. Finally share IDPMetaDataURL and Initiate Single Sign-On URL (as shown in the above screenshot) with Amorphic team.

Frequently asked questions (FAQ)

1. What happens if any configuration changes at Identity Provider end?

a. When Identity Provider configuration like Certificate, etc changes, Cloudwick support team must re-import the saml metadata file in AWS Cognito Console.