PingIdentity Custom IDP
Overview
PingIdentity is an enterprise-grade identity management platform that supports SSO, MFA, directory services, and identity federation. When integrated with LoginRadius as a Custom Identity Provider (IDP) using SAML, PingIdentity helps enable secure and seamless access management for internal teams, partners, or customers.
This setup allows you to:
- Authenticate users using their PingIdentity-managed credentials.
- Extend your identity federation strategy to applications connected via LoginRadius.
- Maintain centralized identity control while leveraging LoginRadius features such as analytics, customer segmentation, and customizable login flows.
Key Features
- Federated Login via SAML 2.0: Authenticate users using PingIdentity with SAML-based federation.
- Secure Certificate-Based Assertion Exchange: This ensures secure validation of login sessions.
- Simplified Configuration: Easily set up and manage PingIdentity as a Custom IDP via the LoginRadius Admin Console.
- Custom Branding: Display a custom-named PingIdentity login button on your login interface.
- Support for Login and Logout Flows: Handle complete SAML SSO sessions, including single logout.
Use Cases
-
Enterprise SSO: Enable employees to log in to your application using their enterprise PingIdentity credentials.
-
Secure B2B Access: Partner organizations can authenticate using their existing PingIdentity-managed identity systems.
-
Regulatory Compliance: Leverage PingIdentity’s security and auditing features to meet compliance standards like HIPAA, GDPR, etc.
Configuration
- Pingidentity Console
- LoginRadius Console
Ping Identity Configuration
Follow this guide to create the SAML application in PingIdentity: Pingidentity Applications - Manually Enter Configuration
Use the following details during setup:
| Field | Value |
|---|---|
| ACS (Assertion Consumer Service) URL | https://<Site Name>.hub.loginradius.com/service/saml/sp/login |
| Entity ID | https://<Site Name>.hub.loginradius.com/ |
| SLO URL and sign-out URL | https://<LoginRadius Site Name>/service/saml/idp/logout?appname=<SAMLAppName> |
After configuring the application, download the SAML Metadata or X.509 Certificate for use in LoginRadius.
Additional SAML Configuration
Refer to this guide for further SAML settings: Edit Application SAML - PingIdentity
Update the following fields:
| Setting | Value |
|---|---|
| SUBJECT NAMEID FORMAT | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Assertion Validity Duration | Set the desired duration (in seconds) for which the assertion is valid |
Attribute Mapping
Map the PingOne user attributes to their LoginRadius counterparts:
| PingOne Attribute | LoginRadius Attribute |
|---|---|
| Email Address | saml_subject |
| Family Name | lastname |
| Given Name | firstname |
After filling in the above configuration, click Save and Close.
LoginRadius Console
-
Log in to the LoginRadius Admin Console
-
Navigate to Custom IDPs:
Go to Authentication > Identity Providers > Custom Identity Providers -
Add PingIdentity IDP:
-
Click Add Custom IDP at the top-right corner.
-
Select the PingIdentity card from the list.
-
-
Fill Configuration Fields:
-
Unique Provider Name: This will appear on the login screen.
-
ID Provider Location: Enter the SAML SSO URL (Assertion Consumer Service endpoint) from the Ping Identity.
-
ID Provider Logout URL: Add the logout URL from the Ping Identity.
-
ID Provider Certificate: Enter the certificate, which should be in the metadata you have downloaded from Ping Identity.
Ensure the certificate is wrapped like:
-
-----BEGIN CERTIFICATE-----
<Your Certificate>
-----END CERTIFICATE-----
- Save Configuration: Click Save to create the PingIdentity IDP. It will now appear in the list of configured IDPs.
Integration Details
After configuring the PingIdentity Custom IDP:
-
The PingIdentity login button will appear on your LoginRadius-hosted login interface.
-
Users can initiate login from the LoginRadius screen and be redirected to PingIdentity for authentication.
-
After a successful login, users are redirected back to your site with a valid session.
-
For API or SDK-based flows, ensure the custom IDP name is passed correctly in the login request and matches the Unique Provider Name set during configuration.