PingOne Identity SSO
Amazon Cognito integrates with PingOne to enable existing users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with PingOne as an identity provider.
What is Single Sign-On?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like PingOne. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.
Pre-requisites for PingOne Identity Provider
Before we proceed with the PingOne IDP setup, we need the following pre-requisites:
- PingOne account - https://console.pingone.com/
- Amazon AWS account
- A Cognito user pool with an application client and a user pool domain
Steps to register Amorphic app with PingOne
- Create an application within the PingIdentity admin console
- Get IDP Metadata URL & Initiate Single Sign-On URL
Create an application within the PingIdentity admin console
Login to PingIdentity Application using this link.
Select your environment & click on
Connections
→Applications
. Create a newWEB-APP
application with Connection Type asSAML
. Provide Application Name and Description.
Configure SAML Connection: Select Manually Enter & also fill up below details:
Provide ACS URL: You will receive ACS URL from Amorphic team post initial deployment. ACS URL consists of:- Cognito Domain Name + SAML2/IDPResponse Eg.
https://<your_domain_name>.auth.<region>.amazoncognito.com/saml2/idpresponse
Provide EntityID: You will receive EntityID from Amorphic team post initial deployment. Entity ID Consists of cognito user pool id. Eg.
urn:amazon:cognito:sp:<cognito_user_pool_id>
Assertion Validity Duration in seconds: This is SAML Assertion request validity, you can put as 60-120 seconds. Leave rest as default - Save and Continue.
- Edit
Attribute Mappings
in application tab as shown below:
All attributes must be configured as how it is shown & they are case sensitive. Amorphic uses application attributes for specific features within the application, any modification or changes to attributes may break the application.
Amorphic application roles access grant/revoke can be managed from PingIdentity groups. Add a mapping attribute(OPTIONAL) in the PingIdentity application created as shown below:
- Save & Close. User can now view the application in the application list and manage the
Policies
&Access
.
A user should have appropriate roles assigned to him. Applications can be associated with groups and users can be assigned to the group to access the Amorphic application.
Get IDP Metadata URL & Initiate Single Sign-On URL
In order to finish the SAML Integration between Amorphic Application and PingIdentity, Amorphic team would require IDP Metadata URL and Single SignOn URL.
Go to Applications → Configurations → Connection Details
Get IDPMetaDataURL & Initiate Single SignOn URL without query parameters [Get the URL leaving everything after ?]
- Finally share
IDPMetaDataURL
andInitiate Single Sign-On URL
(as shown in the above screenshot) with Amorphic team.