Skip to main content

SAML 2.0 - PingOne as IdP

You can authenticate your XSOAR users using SAML 2.0 authentication and PingOne as the identity provider. First, you have to define XSOAR authentication in your PingOne account, then create a SAML 2.0 instance in XSOAR.

SAML 2.0 Overview#

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard. It uses security tokens for exchanging authentication and authorization data between security domains.


The following parameters are part of the configuration process.

Service ProviderXSOAR
User AgentUser's browser
Identity ProviderPingOne

Add XSOAR as a PingOne Application#

There are several steps you need to complete.

  1. Create PingOne Groups for XSOAR Users
  2. Define the PingOne application for XSOAR authentication
  3. Configure the SAML 2.0 integration in XSOAR
  4. Map PingOne groups to XSOAR roles
  5. More references to PingOne's documentation

Create PingOne Groups for XSOAR Users#

To authenticate XSOAR users with PingOne, you need to have at least one PingOne group that defines XSOAR users, which will eventually be mapped to XSOAR roles. There are two common methods for grouping and mapping users:

  • Create a single PingOne group for all users, for example, XSOAR All Users.
  • Create a PingOne group for each business unit, for example, XSOAR IT, XSOAR Analysts, XSOAR Admins.

To create and add users to a PingOne group, see Managing Users in the PingOne Documentation

Define the PingOne application for XSOAR authentication#

For information, see Add or update a SAML application in the PingOne documentation.

In the Application Configuration section, configure the following application parameters:

Protocol VersionSAML v 2.0True
Assertion Consumer Service (ACS)https://<_XSOARURL_\>/samlTrue
Entity IDhttps://<_XSOARURL_\>/samlTrue
Application URLhttps://<_XSOARURL_\>/samlFalse
Single Logout Endpointhttps://<_XSOARURL_\>/saml-logoutFalse
Single Logout Binding TypePOSTFalse
Primary Verification CertificateYour own certificate. For help creating a new certificate go to the Set Up SAML Logout Article and follow Step 1.False
SigningSign ResponseFalse

In the Group Access section, add each group that you would like to associate to this application. This is where you define which groups to associate with XSOAR, which will be mapped to XSOAR roles. For example, you can create a group that includes all users in a single group called Users.

Configure the SAML 2.0 Integration in XSOAR#

Before you configure an instance of the SAML 2.0 integration in XSOAR, access the PingOne Application Details. The values of several integration parameters are located here, such as Identity Provider Single Sign-On URL.

  1. In XSOAR, navigate to Settings > Integrations > Servers & Services.

  2. Search for SAML 2.0.

  3. Click Add instance to configure a new integration instance.

    NameA meaningful name for the integration instance.
    Service Provider Entity IDhttps://<_XSOARURL_\>/samlAlso known as an ACS URL. This is the URL of your XSOAR server.
    IdP metadata URL<UUID> SAML-PingOne-Metadata-URL.pngURL of your organization's IdP metadata file.
    Or: IdP metadata fileYour organization's IdP metadata file. Download it from the PingOne UI: SAML-PingOne-Metadata-File.png
    IdP SSO URL<idp_id_from_PingID_UI>. SAML-PingOne-IDP-ID.pngURL of the IdP application that corresponds to XSOAR.
    Attribute to get usernameurnAttribute in your IdP for the user name.
    Attribute to get emailemailAttribute in your IdP for the user's email address.
    Attribute to get first namefirstNameAttribute in your IdP for the user's first name.
    Attribute to get last namelastNameAttribute in your IdP for the user's last name.
    Attribute to get phonePhoneAttribute in your IdP for the user's phone number.
    Attribute to get groupsmemberOfAttribute in your IdP for the groups of which the user is a member.
    Groups delimiter,Groups list separator.
    Default roleRole to assign to the user when they are not a member of any group.
    RelayStateOnly used by certain IdPs. If your IdP uses relay state, you need to supply the relay state.
    Sign request and verify response signatureMethod for the IdP to verify the user sign-in request using the IdP vendor certificate.
    IdP public certificateDownload it from the PingOne UI: SAML-PingOne-Download-Public-Cert.png
    Service Provider public certificateThe certificate.crt.Public certificate for your IdP.
    Service Provider private keyThe private_unencrypted.key.Private key for your IdP, in PEM format.
    ADFSTrueActive Directory Federation Services.
    Compress encode URL (ADFS)TrueWill compress the request sent to PingOne.
    Service Identifier (ADFS)
    Do not map SAML groups to XSOAR rolesSAML groups will not be mapped to XSOAR roles
    IdP Single Logout URL functionality will end the user's session in PingOne when logging out.
  4. Click Test to validate the URLs, token, and connection.

  5. Go back to the instance settings, and click Get service provider metadata, to verify that the settings are successful.

Map PingOne Groups to XSOAR Roles#

It is important that when you specify the PingOne group in XSOAR to map to a role that you use the exact group name as it appears in PingOne. Alternatively, you can specify .*, which will pass all PingOne groups to the relevant XSOAR roles (this is not recommended).

  1. In XSOAR, navigate to Settings > Users & Roles > Roles.
  2. To create a new role, click the +New button.
  3. Enter a meaningful name for the role.
  4. Select the permissions to grant to the role.
  5. In the SAML Roles Mapping section, specify one or more SAML groups to map to the XSOAR role.

More references to PingOne's documentation:#