PingOne
  • 4 Minutes to read
  • PDF

PingOne

  • PDF

Article summary

1. About this document


This document provides step-by-step instructions for configuring the PingOne integration in SAFE and importing SAML applications with SSO-related misconfigurations into SAFE.

2. Introduction


This integration allows you to onboard your SAML Applications from PingOne and fetch SSO misconfigurations for those SAML applications from PingOne into SAFE. SAFE Admins can configure this integration from the PingOne card available on the Integrations page.

Prerequisites


  1. A PingOne user with admin-level access to create an application in the PingOne administrator environment.

  2. SAML application(s) with SSO configured in the environment(s) that the user would pull into SAFE.

  3. SAFE access with an admin role.

3. Generate connection details


To integrate SAFE with PingOne, we need 4 details from the PingOne console:

  • API URL

  • Client Id

  • Client Secret

  • Administrator environment Id

Below are steps that can be followed to generate these details:

3.1 Getting API URL for your PingOne console

  1. PingOne API URL depends on the region where the PingOne cloud is deployed

  2. PingOne’s API URL will always start with: https://api.pingone.<tld>

    1. Here, tld stands for Top Level Domain, which depends on PingOne’s region.

    2. Refer to this documentation to find the tld for your PingOne https://apidocs.pingidentity.com/pingone/platform/v1/api/#working-with-pingone-apis.

For example:

In case of confusion, please reach out to your PingOne support.

3.2 Creating a custom read-only role for SAFE

In this section, we will create a read-only role in PingOne, which will later be assigned to a Worker app to be created for SAFE in PingOne.

  1. Make sure that the Administrators Environment is selected from the top dropdown.

  2. From the left navigation menu, expand Directory → Open Administrator Roles → Click on Custom Roles → Click on + Add Custom Role button. (Refer to the below screenshot for the order of navigation)

  3. In the Initial Permissions select → No Permissions

  4. Give a Name and Description to the role according to your preference.

  5. In the Assignable by select Environment Admin and Organization Admin, and in the Advanced section select Environment and Application. Click the Next button to proceed to the permission page.

  6. On the permissions page → search Read Environment and select the role.

  7. Next, search for Read Application and select the role (Make sure the role lies in the Applications section).

  8. Next, search for Read Sign-On and select the 2 roles as shown below.

  9. Clear the search bar, head over to the Selected Permissions tab, and check that only four read-only roles are selected then click Next.

  10. Click Save.

3.3 Creating a Worker App in PingOne

In this section, we will create a worker app which will generate credentials to be configured in SAFE

  1. Make sure that the Administrators Environment is selected from the top dropdown.

  2. From the left navigation menu, expand Applications and open Applications → then click on the small + icon to create a new application

  3. Give a Name and Description as per your preference and select Worker as the Application type

  4. In the application created just now, head over to the Roles tab and click Grant Roles.

  5. Expand the custom role created before and select the environments that you want to pull into SAFE and then click Save.

    Note: Only the environments selected above will be pulled into SAFE. In case the user wants to assess all the environments then click Select All.

  6. The created App will be disabled by default, so just enable it via below toggle.

  7. Head over to the Overview tab, and here you will find the Client ID, Client Secret, and Environment ID.
    Note these details as they will be configured in SAFE.

4. Configure PingOne in SAFE


Follow the below steps to configure PingOne in SAFE.

  1. Go to the Integrations page and click the PingOne card.

  2. Open the Configure page.

  3. API URL - Refer to Section 3.1 above for guidance in finding your API URL.

  4. Client ID - Generated at the end of Section 3.3 of this document.

  5. Client Secret - Generated at the end of Section 3.3 of this document.

  6. Admin Environment ID - Generated at the end of Section 3.3 of this document.

Once configured:

  1. Click the Test Connection button.

  2. Once the connection is validated, click the Save button.

  3. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside the scheduled auto sync.

5. View Result


To view the assets and the assessment result:

  1. From the Integrations page, Click on PingOne card.

  2. A page with Finding View and Asset View tabs will open up.

  3. The finding view will contain all the findings assessed from PingOne.

  4. Asset view will list all the applications (with SAML protocol) pulled from PingOne.

    1. The name of the environment from which the application is pulled is appended to the asset name in brackets. For example, If the application name is “Acme Workspace” and the Environment name is “Test Env - 1”, then the asset name in SAFE will be - Acme Workspace(Test Env - 1).

  5. Alternatively, you can navigate to Technology and filter the asset list for Finding source equals PingOne.

FAQs


  1. What data is pulled into SAFE by configuring this integration?

SAFE pulls in the SAML application configured in PingOne and assesses SAML-related security misconfigurations for the same.

2. I am not seeing all the applications from PingOne in SAFE. Why?

SAFE only pulls in enabled applications with SAML protocol and assesses their security misconfigurations.

  1. How do I know which environment is the application pulled from?

SAML Applications pulled from PingOne have a naming convention. The name of the environment from which the application is pulled is appended to the asset name.

For example, in The below screenshot - The application name is “Acme Workspace”, and the Environment name is “Test Env - 1”, which is added to the asset name.



Was this article helpful?

What's Next