This articles provides steps for configuring Ping Identity SSO in Cloud Control Center.
Three main components are required to successfully configure SSO using Ping Identity.
1. Adding Elisity Cloud Control Center Application in Ping
2. Create and Assign User Roles
3. Configure Ping SSO with Cloud Control Center (Two Methods)
Note: You can create custom mappings from groups within your SSO directory to user roles in Cloud Control Center. It is recommended to set up these role mapping configurations if you are planning on using Role-Based Access Control (RBAC) in Cloud Control Center, which enables powerful access control to various scopes such as Users, Devices, Policies, Virtual Edges, Settings, and more.
Adding Cloud Control Center as an Application in Ping Identity
First, login to your Ping Identity console. Go to Connections -> Applications and click the add application icon. ( + ) Give your application a name such as "Elisity CCC" and optionally add a description. Select OIDC Web App as your Application Type and click save.
After saving, go back to the Applications Panel and Click on your newly added Elisity CCC application, and select the configuration panel. We need to copy and save three credentials that we will use later. Locate and copy the following into your notepad:
URL: Issuer and General: Client ID and Client Secret
Next, scroll back up to the top of the configuration panel and click the edit icon.
Make sure that your application configuration matches below.
- Code: Selected - Token: Selected - ID Token: Selected
- Authorization Token: Selected - Implicit: Selected - Refresh Token: Selected
Redirect URIs (Reply URL)
- Copy the Redirect URI from Cloud Control Center
Token Endpoint Authentication Method
- Select: Client Secret Post
Initiate Login URI
(Only required if you wish to initiate login from the PingIdentity Application Portal)
- !!! REPLACE tenantname.elisity.io with your Cloud Control Center URL or IP.
Configuring Supported User Roles in Ping
Go to Identities -> Groups and add user groups to define the roles you want to use for signing in to Cloud Control Center. Our two standard groups are the following:
TenantAdmin – This default role in Cloud Control Center has full read/write access
TenantUser – This is default role in Cloud Control Center is only able to view data
Remember, you can create custom mappings from any SSO user groups to user roles within Cloud Control Center at any time. This just requires assigning the user groups to the application, as we will do later.
Note: Be sure the attribute names match above - not case sensitive
You can choose to add users to these groups now, or later on.
Next, go to Connections -> Applications and select the Cloud Control Center Application Registration we created earlier.
Go to attribute mappings, and edit a custom attribute using the pencil icon.
Add the following Attribute Mapping:
Attribute: UserRole - PingOneMapping: Group Names
Next, go to the "Access" tab in the same window, and click the pencil icon.
Apply the following settings:
- Must have admin access: Unchecked
- Select: User is a member of any applied group
- Select: appropriate groups - TenantAdmin, TenantUser, etc
Here is where you can also add any further user groups that you would like to map to user roles within Cloud Control Center. See how to map SSO groups to user roles. Cloud Control Center will pick up the UserRole value and assign it when user signs in, delegating privileges in Cloud Control Center based on the UserRole value. Any groups that are assigned to the Application Integration for Cloud Control Center (within Ping Identity) can be mapped to a role in Cloud Control Center. Let's look at how to accomplish this.
Before finalizing our SSO integration, we can quickly add our Key-Value to User Role configurations within Cloud Control Center. Recall the API role that we configured in Ping Identity for our CCC Application registration. We use a Key-Value pair for these API calls where the key is "UserRole" and the value type is User Groups filtered by a matching regex in Okta. Note that "Key" and "Value" strings in CCC are case-sensitive, meaning if you used "UserRole" as your role key in Okta, it must match exactly in Cloud Control Center. Any groups that are assigned to the Application Integration for Cloud Control Center (within Ping Identity) can be mapped to a role in Cloud Control Center. Creating these configurations is very simple.
Go to Settings > Admin > SSO Configuration > Role Configuration
For any and every user group that you would like to map to a role in Cloud Control Center, you need to create a mapping here. If you copied the syntax for the Key-Value pairs in this guide, the default User Roles should look exactly like this:
|USER ROLE (pre-defined)
Any additional user groups you would like to map to custom roles can also be configured here. They should use the same key (Key = "UserRole") unless you configured your key-value differently. The value field should match exactly the syntax of user groups assigned to your CCC Application within your IDP. You can then assign to any custom role you have created to effectively enable Role-Based Access Control for Cloud Control Center. An example might look like this:
In this example we are restricting access for SSO users who are a member of the NetworkAdmin group to ONLY the Virtual Edge page.
Configure Ping SSO in Cloud Control Center
Method 1: Using the Discovery Endpoint for Ping SSO
Before using this method, you need to ensure that your Elisity Application and User Roles are already created in Ping SSO. If they are not, navigate to the respective sections to fulfill these requirements first.
Accessing SSO Configuration in CCC:
- Sign into Cloud Control Center (CCC) with an admin account that has permissions to make SSO configuration changes.
- Navigate to the settings page, then go to the Admin dropdown and select the SSO configuration tab. Make sure that "Use discovery endpoint" is toggled to use this method.
Obtaining the Discovery Endpoint:
- The Discovery Endpoint for Ping SSO can be obtained by appending “.well-known/openid-configuration” to the Ping issuer URL.
- Example: If the Ping issuer URL is
https://<Ping-Domain>/idp, then the Discovery Endpoint would be
Populating Metadata Automatically:
- Click on the "DISCOVER" button within the CCC SSO configuration page. This action will automatically populate all the Metadata fields required for Ping SSO integration.
Acquiring Client ID and Secret:
- Obtain the Client ID and Secret from your Ping SSO setup. These are essential credentials for the integration.
Setting up Redirect URI (Reply URL):
- The Redirect URI needed for Ping SSO configuration will be displayed in the Redirect URI box within the CCC.
- This URI must be configured in your Ping SSO setup to ensure proper redirection after authentication.
By following these steps, users can easily configure Ping SSO with Elisity's Cloud Control Center using the Discovery Endpoint method. This method simplifies the process by automating the metadata population, reducing the potential for errors during manual entry. It's important that the user verifies the correctness of the automatically populated fields to ensure a seamless integration with Ping SSO.
Method 2: Manually Entering Metadata
You can optionally choose to bypass the Discovery Endpoint method and manually enter all the required configurations in Cloud Control Center. Toggle off the "Use discovery endpoint" button, and you will have access to manually enter the following fields:
- Redirect URI (Reply URL): The callback location where the SSO provider will send the user after authentication. This can be found in Cloud Control Center.
- Client ID: The unique identifier assigned to your application by the SSO provider. This value can be found by following the guide above.
- Client Secret: A confidential secret used by your application to authenticate with the SSO provider. This value can be found by following the guide above.
- Token Endpoint: The URL used by the application to exchange an authorization code for an access token.
- Authorization Endpoint: The URL used to initiate the user authorization process.\
- JSON Web Key Set (JWKS) URI: The URL pointing to a set of public keys used to verify the signature of JSON Web Tokens.
- User Information Endpoint: The URL from which the application can retrieve user profile information.
- Issuer: The URL that uniquely identifies the authorization server that issued the token. This value can be found by following the guide above.
Refer to Ping Identity documentation on how to retrieve the values for manual configuration that are not covered in this document.
Ping SSO Integration Completed
You should now be able to login to Cloud Control Center using SSO with Ping for users who have the appropriate attributes applied. Simply click "Login with SSO" and input user your credentials from Ping.