Configuring SSO with PingOne

Prerequisites

Before you start, do the following:

• Submit a ticket to SAP LeanIX Support to request setting up SSO for your organization. If you're an SAP customer, submit a request from the SAP for Me portal.
• Learn about the SSO configuration process in SSO Configuration Process.

For more information about configuring SSO with PingOne, refer to the PingOne documentation.

Step 1: Create a SAML Application

Follow these steps:

1. In the PingOne admin dashboard, in the Applications section, click Add Application.

2. Enter a name for your application.

3. Select SAML Application as the application type, then click Configure.

   

Step 2: Configure SAML Settings

Follow these steps:

1. In the SAML Configuration section, under Provide Application Metadata, select Import Metadata and upload the metadata file. Alternatively, select Manually Enter and specify the following:

   • ACS URLs: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST

   • Entity ID: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso

     📘

     Note

     Replace {SUBDOMAIN} in the URLs with your custom subdomain that you specified in the SSO request form (for example, https://your-company.leanix.net).

2. Save the changes.

   

Step 3: Configure Attribute Mapping

In the Attribute Statements section, specify attributes to be added to the SAML assertion as shown in the following tables. Set all attributes as required. All fields are case-sensitive.

For the following required attributes, the corresponding values already exist in PingOne Mapping.

If you want to manage user roles within PingOne and not within SAP LeanIX, configure optional attributes specified in the following table using expressions. To learn more about managing user roles, see Managing User Roles with SSO.

For effective implementation of the expressions, it's crucial to use accurate group naming. The mapping of group membership to a role or custom role is created by extracting a segment from the group name. For example, for the group name LEANIX MEMBER, MEMBER is sent to SAP LeanIX as the user role. User roles in the group names must exactly match the roles listed in the User Roles and Permissions section of your workspace's admin area in SAP LeanIX. For more information, see Custom User Roles.

While it's less common, another method is to map specific user attributes instead of group membership, which can be an option in some use cases such as when using virtual workspaces.

Step 4: Assign Users to the SAML Application

Follow these steps:

1. In the PingOne admin dashboard, navigate to Directory > Groups. Review your user groups and verify that they're already populated with users. In the following screenshot, the example user groups are LEANIX MEMBER, LEANIX VIEWER, and LEANIX ADMIN.

   

2. Navigate to the SAML application page. On the Access tab, grant access to the application to the user groups. If you don’t need to manage authorization, assigning fewer groups will suffice.

   

To verify your SSO configuration, first, access your workspace at https://{SUBDOMAIN}.leanix.net, then navigate to the SAML session page at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session.

The following screenshot shows a SAML session page with a list of required user attributes that appear under Attributes. The role attribute is optional and may not apply to your setup.