Skip to main content

Help Center

Submit a request

Configuring PayAnalytics SSO/SAML against Ping Identity (IdP)

PayAnalytics Team

  • Last updated:

Configuring PayAnalytics SSO/SAML against Ping Identity (IdP)

Purpose

This document describes the steps a technical contact for a PayAnalytics customer is required to carry out in order to configure SSO/SAML authentication for the PayAnalytics online solution (the Service Provider, "SP") using Ping Identity as an Identity Provider, "IdP".

Roles & Responsibilities

  • IT specialist: A person within the customer organization that has access to the Microsoft Entra ID configuration for the organization.

  • PayAnalytics system owner: A person within the customer organization that has Superuser access (permissions to create and modify users) to PayAnalytics

Prerequisites

  • A dedicated PayAnalytics instance with SSO support enabled has been created for the customer.

  • PayAnalytics system owner: Has a user account (using username/password) with Superuser privileges on the PayAnalytics customer instance.

  • IT specialist: Has the appropriate administrative privileges on Ping Identity.

Procedure

  1. PayAnalytics system owner: Log into your PayAnalytics instance via "Other Options" -> "Sign in as administrator" (see Figure 4.1). If you're logging in for the first time you will need to retrieve your password with the "Forgot Password" feature.

Figure 4.1: Administrator login on PayAnalytics SSO login screen.

  1. PayAnalytics system owner: In PayAnalytics , open settings (by clicking ) and from the settings page click "SSO/SAML configuration".

  2. PayAnalytics system owner: Take note of the values in the gray-background boxes (see Figure 4.2) and the logo which you will upload to Ping Identity

Figure 4.2: Values to be copied from PayAnalytics into Ping Identity SAML configuration.

  1. IT specialist: Log into Ping Identity by clicking the "Sign On" link on the Ping website.

  2. IT specialist: In the left menu, Unfold "Applications" and click "Applications (see Figure 4.3).

  3. IT specialist: On the Applications page, click the plus icon (see Figure 4.3).

Figure 4.3: Ping Identity menu and Applications Page.

  1. IT specialist: In the "Add Application" menu, set "Application Name" to "PayAnalytics" and description to "PayAnalytics Pay Equity Analysis". Upload the logo from the PayAnalytics SSO configuration page and select "SAML Application". Click the "Configure" button (Figure 4.4).

Figure 4.4: Ping Identity "Create your own application" form.

  1. PayAnalytics system owner / IT specialist: In the next step, copy/paste:

    • PayAnalytics landing URL from Identity Provider. -> "ACS URLs"

    • Service Provider (SP) Audience Restriction (SP Entity ID) -> "Entity ID"

  1. IT specialist: Click "Save".

  2. IT specialist: In the next step, click "Attributes", add the following entries (See figure 4.5):

    • saml_subject -> "Email Address" (may also be configured as "User ID")

    • FirstName -> "Given Name"

    • LastName -> "Family Name"

    • Email -> "Email Address"

    • Role -> "User Role" (if set, will assign or clear the User Role of the user)

Figure 4.5: Configured Attribute Mappings

  1. IT specialist: Click "Save"

  2. IT specialist / PayAnalytics system owner: Open the "Configure" and click the pen icon. Configure the following (see Figure 4.6):

    • SLO Endpoint -> "PayAnalytics URL for Identity Provider initiated logout."

    • Target Application URL -> The PayAnalytics instance url

Figure 4.6: Ping Identity configuration

  1. PayAnalytics system owner / IT specialist: Copy values from Ping Identity Configuration tab to PayAnalytics (see Figure 4.8):

    • Identity Provider Issuer ID -> (Ping Configuration) Issuer ID

    • Identity Provider Single Sign-On URL -> (Ping Configuration) Single Signon Service

    • Identity Provider Single Logout URL -> (Ping Configuration) Single Logout Service

    • Identity Provider X.509 certificate -> (Ping Configuration) Contents of .crt file from "Download Signing Certificate" (Figure 4.7).

Figure 4.7: Download the .crt

Figure 4.8: Configuration in PayAnalytics copy/pasted from Ping Identity.

  1. PayAnalytics system owner: Click "Save" in the PayAnalytics configuration.

  2. IT specialist: In Ping Identity, click the "Access" configuration tab and grant access to the PayAnalytics group. Note that before carrying out this step you need to have such a group in place which is done under the "Directory" page in Ping Identity. Then click "Save".

  3. IT specialist: Finally, click the enable slider to enable the PayAnalytics SSO configuration (Figure 4.9).

Figure 4.9: The "Enable configuration" slider in Ping Identity

Your SSO/SAML authentication should now be correctly configured and your users can initiate the authentication flow into PayAnalytics by clicking the "Click here to authenticate" button.

Other information

The SP metadata is available on the following url:

https://my-company.payanalytics.com/api/v1/sso/metadata

Attachments
Was this article helpful?
0 out of 0 found this helpful
Return to top