PingIdentity Custom IDP
Overview
PingIdentity is an enterprise-grade identity management platform that supports SSO, MFA, directory services, and identity federation. When integrated with LoginRadius as a Custom Identity Provider (IDP) using SAML, PingIdentity helps enable secure and seamless access management for internal teams, partners, or customers.
This setup allows you to:
- Authenticate users using their PingIdentity-managed credentials.
- Extend your identity federation strategy to applications connected via LoginRadius.
- Maintain centralized identity control while leveraging LoginRadius features such as analytics, customer segmentation, and customizable login flows.
Key Features
- Federated Login via SAML 2.0: Authenticate users using PingIdentity with SAML-based federation.
- Secure Certificate-Based Assertion Exchange: This ensures secure validation of login sessions.
- Simplified Configuration: Easily set up and manage PingIdentity as a Custom IDP via the LoginRadius Admin Console.
- Custom Branding: Display a custom-named PingIdentity login button on your login interface.
- Support for Login and Logout Flows: Handle complete SAML SSO sessions, including single logout.
Use Cases
-
Enterprise SSO: Enable employees to log in to your application using their enterprise PingIdentity credentials.
-
Secure B2B Access: Partner organizations can authenticate using their existing PingIdentity-managed identity systems.
-
Regulatory Compliance: Leverage PingIdentity’s security and auditing features to meet compliance standards like HIPAA, GDPR, etc.
Configuration
Pingidentity Console
LoginRadius Console
Ping Identity Configuration
Follow this guide to create the SAML application in PingIdentity: Pingidentity Applications - Manually Enter Configuration
Use the following details during setup:
| Field | Value |
|---|---|
| ACS (Assertion Consumer Service) URL | https://<Site Name>.hub.loginradius.com/service/saml/sp/login |
| Entity ID | https://<Site Name>.hub.loginradius.com/ |
| SLO URL and sign-out URL | https://<LoginRadius Site Name>/service/saml/idp/logout?appname=<SAMLAppName> |
After configuring the application, download the SAML Metadata or X.509 Certificate for use in LoginRadius.
Additional SAML Configuration
Refer to this guide for further SAML settings: Edit Application SAML - PingIdentity
Update the following fields:
| Setting | Value |
|---|---|
| SUBJECT NAMEID FORMAT | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Assertion Validity Duration | Set the desired duration (in seconds) for which the assertion is valid |
Attribute Mapping
Map the PingOne user attributes to their LoginRadius counterparts:
| PingOne Attribute | LoginRadius Attribute |
|---|---|
| Email Address | saml_subject |
| Family Name | lastname |
| Given Name | firstname |
After filling in the above configuration, click Save and Close.
LoginRadius Console
-
Log in to the LoginRadius Admin Console
-
Navigate to Custom IDPs:
Go to Authentication > Identity Providers > Custom Identity Providers -
Add PingIdentity IDP:
-
Click Add Custom IDP at the top-right corner.
-
Select the PingIdentity card from the list.
-
-
Fill Configuration Fields:
-
Unique Provider Name: This will appear on the login screen.
-
ID Provider Location: Enter the SAML SSO URL (Assertion Consumer Service endpoint) from the Ping Identity.
-
ID Provider Logout URL: Add the logout URL from the Ping Identity.
-
ID Provider Certificate: Enter the certificate, which should be in the metadata you have downloaded from Ping Identity.
Ensure the certificate is wrapped like:
-
-----BEGIN CERTIFICATE-----
<Your Certificate>
-----END CERTIFICATE-----
- Save Configuration: Click Save to create the PingIdentity IDP. It will now appear in the list of configured IDPs.
Integration Details
After configuring the PingIdentity Custom IDP:
-
The PingIdentity login button will appear on your LoginRadius-hosted login interface.
-
Users can initiate login from the LoginRadius screen and be redirected to PingIdentity for authentication.
-
After a successful login, users are redirected back to your site with a valid session.
-
For API or SDK-based flows, ensure the custom IDP name is passed correctly in the login request and matches the Unique Provider Name set during configuration.