PingOne Identity SSO

Amazon Cognito integrates with PingOne to enable existing users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with PingOne as an identity provider.

What is Single Sign-On?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like PingOne. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.

Pre-requisites for PingOne Identity Provider

Before we proceed with the PingOne IDP setup, we need the following pre-requisites:

1. PingOne account - https://console.pingone.com/
2. Amazon AWS account
3. A Cognito user pool with an application client and a user pool domain

Steps to register Amorphic app with PingOne

• Create an application within the PingIdentity admin console
• Get IDP Metadata URL & Initiate Single Sign-On URL

Create an application within the PingIdentity admin console

1. Login to PingIdentity Application using this link.

2. Select your environment & click on Connections → Applications. Create a new WEB-APP application with Connection Type as SAML. Provide Application Name and Description.

3. Configure SAML Connection: Select Manually Enter & also fill up below details:

   Provide ACS URL: You will receive ACS URL from Amorphic team post initial deployment. ACS URL consists of:- Cognito Domain Name + SAML2/IDPResponse Eg. https://<your_domain_name>.auth.<region>.amazoncognito.com/saml2/idpresponse

   Provide EntityID: You will receive EntityID from Amorphic team post initial deployment. Entity ID Consists of cognito user pool id. Eg. urn:amazon:cognito:sp:<cognito_user_pool_id>

   Assertion Validity Duration in seconds: This is SAML Assertion request validity, you can put as 60-120 seconds. Leave rest as default - Save and Continue.

4. Edit Attribute Mappings in application tab as shown below:

Note

All attributes must be configured as how it is shown & they are case sensitive. Amorphic uses application attributes for specific features within the application, any modification or changes to attributes may break the application.

Note

Amorphic application roles access grant/revoke can be managed from PingIdentity groups. Add a mapping attribute(OPTIONAL) in the PingIdentity application created as shown below:

5. Save & Close. User can now view the application in the application list and manage the Policies & Access.

Note

A user should have appropriate roles assigned to him. Applications can be associated with groups and users can be assigned to the group to access the Amorphic application.

Get IDP Metadata URL & Initiate Single Sign-On URL

1. In order to finish the SAML Integration between Amorphic Application and PingIdentity, Amorphic team would require IDP Metadata URL and Single SignOn URL.

2. Go to Applications → Configurations → Connection Details

3. Get IDPMetaDataURL & Initiate Single SignOn URL without query parameters [Get the URL leaving everything after ?]

4. Finally share IDPMetaDataURL and Initiate Single Sign-On URL (as shown in the above screenshot) with Amorphic team.