Ping Identity is a supplier of Identity-as-a-Service products. Zeplin SAML SSO is confirmed to work with Ping Identity. This guide walks through configuring the PingOne product, which will be similar for other Ping Identity products such as Ping Federate.
☝️ This feature is only available to teams on the Enterprise Plan.
Before you begin
Ping does not generate application details (needed by Zeplin) until it has Zeplin-generated values (which need Ping data to generate). Contact us at success@zeplin.io to have us manually generate and supply your specific SSO URL and SP EntityID.
Configuration
Configure PingOne from the PingOne Dashboard (https://admin.pingone.com)
Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin for your Zeplin Organization
In PingOne:
From the APPLICATIONS tab on the Dashboard, click on the “Add Application” and choose New SAML Application
Add a name for this application and click on the “Continue to Next Step”
Under "Application Configuration",
- Enter the SSO URL we gave you into the PingOne field Assertion Consumer Service (ACS)
- Enter the SP EntityID we gave you into the PingOne field Entity IDLeave all other fields as their defaults, and click on the “Continue to Next Step”
Under SSO Attribute Mapping, click [ Add new Attribute ] and add a new Attribute: - Attribute Name: email
- Identity Bridge Attribute: Email
- Required? YesClick on the “Continue to Next Step”. Set up the required access as per your company policy, and click on the “Continue to Next Step” again.
A page titled Review Settings will open with the information you need to enter into Zeplin.
In Zeplin:
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab.
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab.
In the SAML 2.0 section, click on the “Enable” button
In the Zeplin popup:
- Copy the string from the PingOne field Initiate Single Single Sign-On (SSO) URL into the Zeplin field IdP SAML 2.0 Endpoint
- Copy the string from the PingOne field Issuer into the Zeplin field IDP Issuer
- Download and copy the contents of the PingOne file Signing Certificate into the Zeplin field IdP Public CertificateClick on the “Enable” button
Confirm everything works!
Go to the Zeplin login page, and click the link that says Login with SSO (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your Ping IdP to authenticate, then back to that user's Project page.
Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing Ping user group that will need to be assigned to the Application. Configure access in the in the Group Access screen as part of the Application Configuration in PingOne. Select the appropriate group, and assign the Zeplin application and specific users if required.
Finishing Up
When it is confirmed users can log in with SAML, you can restrict login to be via SAML only for all users in your domain by setting Require SSO on the AUTHENTICATION tab in Zeplin.
- Don't Require: Users can continue to log in with username/password or SSO
- Require for All Members: Users in your domain who try to log in with username/password will be redirected to your IdP instead.
For safety, the Owner will still be able to log in using their username/password even if this option is set to Require.You can specify a Session timeout. Zeplin will check with your IdP at the shorter period of this setting and the Session Duration as sent by your IdP (if it sends one) to verify the user is still authenticated.
You can choose to Allow inviting users from different domains. If not ticked, only users with an email address in your domain will be permitted to be invited to the Workspace.
Extra information for Ping Identity users
Ping does not send the session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the duration chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default value is to never log out the user.
Ping can sign either the Assertion or Response. Zeplin will verify either signature against the Ping-generated IdP Public Certificate.
By default, Ping does not encrypt the Assertion. Zeplin will accept unencrypted assertions, and also assertions encrypted with the Zeplin-generated x.509 certificate (available within the Zeplin SP metadata). Zeplin can decrypt all of the ciphers that Ping supports.