PingOne Identity SSO
Amazon Cognito integrates with PingOne to enable existing users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with PingOne as an identity provider.
What is Single Sign-On?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like PingOne. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.
Amorphic username convention
Due to the variety of systems Amorphic integrates with, Amorphic requires strict rules to be enforced for its usernames. Failure to follow the required rules may lead to Amorphic users not being able to login as intended. These rules required for Amorphic are conventional rules required for AD integration from other systems, and follow best practices.
The requirement for the usernames are as follows:
- The usernames must be unique for different users
- Usernames are integrated with access to datasets and resources, and as such cannot change
- Should only start with a letter in lowercase, cannot be started with a number
- Should be only alphanumeric, no special characters are permitted
- Should use only lowercase alphabets
- Should have a minimum of 3 characters and should not exceed 20 characters
It should be noted that any and all transformations used to convert the username in the SSO provider to the Amorphic username should produce a username compliant with the Amorphic username convention specified above. For eg; if you have John_Doe@email.com and the transformation gives it as John or John_Doe, it is not compliant as it violates the first and last rules, and it would be best to be something like johndoe. If you have such IDs, it is recommended to create new field with an Amorphic compliant username format, and to use that as an Amoprhic username.
Pre-requisites for PingOne Identity Provider
Before we proceed with the PingOne IDP setup, we need the following pre-requisites:
- PingOne account - https://console.pingone.com/
- Amazon AWS account
- A Cognito user pool with an application client and a user pool domain
Steps to register Amorphic app with PingOne
- Create an application within the PingIdentity admin console
- Get IDP Metadata URL & Initiate Single Sign-On URL
Create an application within the PingIdentity admin console
Login to PingIdentity Application using this link.
Select your environment & click on
Connections
→Applications
. Create a newWEB-APP
application with Connection Type asSAML
. Provide Application Name and Description.
Configure SAML Connection: Select Manually Enter & also fill up below details:
Provide ACS URL: You will receive ACS URL from Amorphic team post initial deployment. ACS URL consists of:- Cognito Domain Name + SAML2/IDPResponse Eg.
https://<your_domain_name>.auth.<region>.amazoncognito.com/saml2/idpresponse
Provide EntityID: You will receive EntityID from Amorphic team post initial deployment. Entity ID Consists of cognito user pool id. Eg.
urn:amazon:cognito:sp:<cognito_user_pool_id>
Assertion Validity Duration in seconds: This is SAML Assertion request validity, you can put as 60-120 seconds. Leave rest as default - Save and Continue.
- Edit
Attribute Mappings
in application tab as shown below:
All attributes must be configured as how it is shown & they are case sensitive. Amorphic uses application attributes for specific features within the application, any modification or changes to attributes may break the application.
Amorphic application roles access grant/revoke can be managed from PingIdentity groups. Add a mapping attribute(OPTIONAL) in the PingIdentity application created as shown below:
- Save & Close. User can now view the application in the application list and manage the
Policies
&Access
.
A user should have appropriate roles assigned to him. Applications can be associated with groups and users can be assigned to the group to access the Amorphic application.
Get IDP Metadata URL & Initiate Single Sign-On URL
In order to finish the SAML Integration between Amorphic Application and PingIdentity, Amorphic team would require IDP Metadata URL and Single SignOn URL.
Go to Applications → Configurations → Connection Details
Get IDPMetaDataURL & Initiate Single SignOn URL without query parameters [Get the URL leaving everything after ?]
- Finally share
IDPMetaDataURL
andInitiate Single Sign-On URL
(as shown in the above screenshot) with Amorphic team.
Frequently asked questions (FAQ)
1. What happens if any configuration changes at Identity Provider end?
a. When Identity Provider configuration like Certificate, etc changes, Cloudwick support team must re-import the saml metadata file in AWS Cognito Console.