SSO with PingOne

Configure single sign-on (SSO) with PingOne as an identity provider.

Prerequisites

Before you start, do the following:

For more information about configuring SSO with PingOne, refer to the PingOne documentation.

Step 1: Create a SAML Application

Follow these steps:

  1. In the PingOne admin dashboard, in the Applications section, click Add Application.

  2. Enter a name for your application.

  3. Select SAML Application as the application type, then click Configure.

    Creating a SAML Application in PingIdentity

    Creating a SAML Application in the PingOne Admin Dashboard

Step 2: Configure SAML Settings

Follow these steps:

  1. In the SAML Configuration section, under Provide Application Metadata, select Import Metadata and upload the metadata file. Alternatively, select Manually Enter and specify the following:

    • ACS URLs: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST

    • Entity ID: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso

      📘

      Note

      Replace {SUBDOMAIN} in the URLs with your value. When implementing SSO for your organization with the SAP LeanIX team, you can choose a custom subdomain, for example, your company name.

  2. Save the changes.

    Configuring General SAML Settings for an SSO Application

    Configuring General SAML Settings for a SAML Application

Step 3: Configure Attribute Mapping

In the Attribute Statements section, specify attributes to be added to the SAML assertion as shown in the following tables. Set all attributes as required. All fields are case-sensitive.

For the following required attributes, the corresponding values already exist in PingOne Mapping.

AttributeRequiredPingOne Mapping
firstnameRequiredGiven Name
lastnameRequiredFamily Name
mailRequiredEmail Address
uidRequiredThe unique ID of the user in the email format.

If you're managing user roles within PingOne and not within SAP LeanIX, configure optional attributes specified in the following table using expressions. To learn more about managing user roles, see Managing User Roles with SSO.

For effective implementation of the expressions, it's crucial to use accurate group naming. The mapping of group membership to a role or custom role is created by extracting a segment from the group name. For example, for the group name LEANIX MEMBER, MEMBER is sent to SAP LeanIX as the user role. User roles in the group names must exactly match the roles listed in the User Roles section of your workspace's admin area in SAP LeanIX. For more information, see User Roles.

While it's less common, another method is to map specific user attributes instead of group membership, which can be an option in some use cases such as when using virtual workspaces.

AttributeRequiredPingOne Mapping
roleRequired only if you manage user roles within PingOneExample expression: #string.replace(user.memberOfGroupNames.?[#string.startsWith(#this, 'LEANIX ')], "LEANIX ", "", -1)
customerRolesRequired only if you manage user roles within PingOneExample expression: #string.replace(user.memberOfGroupNames.?[#string.startsWith(#this, 'LEANIX ')], "LEANIX ", "", -1)
entryACIRequired only if you manage user roles within PingOne and want to use virtual workspacesExample expression: #string.replace(user.memberOfGroupNames.?[#string.startsWith(#this, 'LEANIX ')], "LEANIX ", "", -1)
Creating a SAML Application in PingIdentity

Configuring Attribute Mapping for a SAML Application

Step 4: Assign Users to the SAML Application

Follow these steps:

  1. In the PingOne admin dashboard, navigate to Directory > Groups. Review your user groups and verify that they're already populated with users. In the following screenshot, the example user groups are LEANIX MEMBER, LEANIX VIEWER, and LEANIX ADMIN.

    Creating User Groups in PingIdentity

    Creating User Groups in PingOne

  2. Navigate to the SAML application page. On the Access tab, grant access to the application to the user groups. If you don’t need to manage authorization, assigning fewer groups will suffice.

    Assigning User Groups to an SSO Application

    Assigning User Groups to a SAML Application

To verify your SSO configuration, first, access your workspace at https://{SUBDOMAIN}.leanix.net, then navigate to the SAML session page at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session.

The following screenshot shows a SAML session page with a list of required user attributes that appear under Attributes. The role attribute is optional and may not apply to your setup.

SAML Session Page

SAML Session Page