SAML setup guide (PingOne)

Step 1 - Get Service Provider (SP) information from Workstars

  1. Login to your Workstars Administrator account (must be the primary account or technical user)
  2. Click on System Settings at the top
  3. Click Sign On from the left-nav menu
  4. Click the Setup button next to the Single Sign On (SAML) option
  5. Select PingOne
  6. From the Service Provider section, save a copy of the ACS URL and Entity ID as you will need these in the Step 2

 

Step 2 - Add Workstars app to PingOne

  1. Login to the PingOne administrator console
  2. On the main navigation, click Applications
  3. Click the Add Application button and select New SAML Application
  4. You should see the Application Details screen
  5. In the Application Name box, enter the name you want to show your users
  6. In the Application Description box, enter a brief description
  7. In the Category drop down, select an appropriate category (e.g. Human Resources)
  8. Upload an appropriate logo
  9. Click Continue to Next Step
  10. You should see the Application Configuration screen
  11. Ensure the Protocol Version is set to SAML v2.0
  12. In the Assertion Consumer Service (ACS) box, enter our ACS URL from Step 1
  13. In the Entity ID box, enter our Entity ID from Step 1
  14. Ensure the Signing Algorithm is set to RSA_SHA256
  15. Click Continue to Next Step
  16. You should see the SSO Attribute Mapping screen
  17. Click Save & Publish
  18. You should see the Review Setup screen
  19. Save a copy of the Initiate Single Sign-On (SSO) URL, as you will need it in Step 3
  20. Download the Signing Certificate, as you will need it in Step 3
  21. Download the SAML Metadata file, as you will need it in Step 3
  22. Click Finish

Step 3 - Configure sign on to use PingOne

  1. Log back into your Workstars Administrator account
  2. In the top bar, select System Settings
  3. In the left-nav menu, select Sign On
  4. Click Setup next to the Single Sign On (SAML) option
  5. Select PingOne
  6. In the SAML SSO URL box, enter the Initiate Single Sign-On (SSO) URL value you copied in Step 2
  7. Open the SAML Metadata file you downloaded in Step 2 with a text editor (e.g. Notepad)
  8. At the top of the file, in the EntityDescriptor tag, find the value of entityID (it should be in the format https://pingone.com/idp/<YourCompany>),  then copy and paste it into the Identity Provider Entity ID box
  9. Open the x509 Certificate you downloaded in Step 2 with a text editor (e.g. Notepad); It should be in PEM format, which looks like the following:
    • -----BEGIN CERTIFICATE-----
        MIIDjDCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCREUx
        DDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3RlaW5mdXJ0MRcwFQYDVQQKEw5TcGVu
        bmViZXJnLmNvbTEUMBIGA1UEAxMLUm9vdENBIDIwMDMxIjAgBgkqhkiG9w0BCQEW
        E3JhbGZAc3Blbm5lYmVyZy5uZXQwHhcNMDMwNDMwMDYwODU2WhcNMDQwNDI5MDYw
        ODU2WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3Rl
        aW5mdXJ0MRcwFQYDVQQKEw5TcGVubmViZXJnLmNvbTEUMBIGA1UEAxMLVlBOLUdh
        dGV3YXkxIjAgBgkqhkiG9w0BCQEWE3JhbGZAc3Blbm5lYmVyZy5uZXQwgZ8wDQYJ
        KoZIhvcNAQEBBQADgY0AMIGJAoGBAMU7nDY6GWyp8rrp0u2EMzZIB7KjLVmSsIZM
        gSzqXO3zuusXTrM6zLdbXcqzBO37WTzFJT7z/7AiEPvecgruQkua0yfTtvvpiBDI
        R7cmT3FA5HXEwO5rh7hvyV5mz7vnrXJouG39j0wfOqINQyUGuZLnIGyGFaDrf/cL
        mpldFIibAgMBAAGjggEOMIIBCjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
        cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUy1wZm+aKiv4O
        xP1e3/e/PagYfAgwga8GA1UdIwSBpzCBpIAUAbvGM771ml6wDF29Qel4bFStZo6h
        gYikgYUwgYIxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEjAQBgNVBAcTCVN0
        ZWluZnVydDEXMBUGA1UEChMOU3Blbm5lYmVyZy5jb20xFDASBgNVBAMTC1Jvb3RD
        QSAyMDAzMSIwIAYJKoZIhvcNAQkBFhNyYWxmQHNwZW5uZWJlcmcubmV0ggEAMA0G
        CSqGSIb3DQEBBAUAA4GBAG+JK5Wv8Y1Nt9/obfeS+0iMxBpDaGWXAYemhLWhOL1i
        dHDbnngZ2QyvGK0Td1Z9Pxlh2rp0MI7FUA7j6/+VzY3WfsMOq1s0lLwWD+/c3kC7
        fbqiuF35dOcoWHWgZtKNhbo4gggQM+++KckxnWOp9+CZ6qfttrUzGxxKpAVAbkB7
        -----END CERTIFICATE-----
  10. Copy and paste the file contents into the x509 Certificate box
  11. In the Remote Logout URL box, enter an appropriate URL where you would like the user to be redirected when they logout
    • We suggest you use your PingOne Dock URL, e.g. https://desktop.pingone.com/<your-company>
    • It should NEVER be the same as our SAML SSO URL or the user will just be logged back in and can never logout
  12. Leave the NameID as the default Email (We also support EmployeeID, but configuring PingOne is outside the scope of this document, please contact PingOne support)
  13. Click Confirm to save the settings

 

Step 4 - Test & enable

The setup is now complete, but it is NOT yet visible for employees on the login page.

Note

Please ensure you have an account in PingOne which has the new App assigned to it and you have an account in our system with the same email address

When you are ready, you must enable it:

  1. On the System Settings Sign On page, click the Enable button next to Single Sign On (SAML)
  2. Copy the test link
  3. Open an Incognito/InPrivate browser tab and paste in the link
  4. You should be redirected to the PingOne login page
  5. If you login, you should be redirected back to our system and automatically logged in

    Note

    If you haven’t already done so, we recommend that you log back into PingOne and assign all your users and groups at this time

  6. If the test worked, go back to the other browser window and click the Enable button
  7. If you experience any errors please check the settings are correct; If you need further assistance, please capture any error message screens and contact support

You have now enabled Single Sign On (SAML) for all employees; Check the login is working:

  • Visit your Workstars login URL (not the test one), it should be something like: https://<your-sub-domain>.workstars.com
    • You should be redirected to the PingOne login page and asked to login
    • If you are already logged in, you should be redirected back and logged into our system
  • Employees can also login directly from the PingOne portal
    • To test this, open the App Launcher menu and click the app (you may need to find it in the All tab)
    • You should be redirected to our site and logged in

 

Troubleshooting

On our login page it says “Sorry we could not find your account, please contact your HR Team”

Strictly speaking, this isn't an error. The reason is that you have tried to login via SAML but the account you have used does not have a matching account in our system. To resolve it simply create an account in our system with the same details. If you are not using email as the nameID please check that the alternative is the same in both systems (e.g. employeeID, extnernaID, etc.) and that it is being correctly sent in the SAML request.

On our login page it says “There is a problem with Single Sign On, please contact your IT department”

This is a general error and means that there is something wrong with the setup. Please check it is setup as described above, if you have followed a different guide (some providers also have their own guides) please start again using this document as a guide. If you have checked everything and cannot find any issues please contact support and we will help you resolve the problem.

I can login from the Identity Providers portal but when I try and login from the Workstars login page it redirects me to a message that says “page not found” or another error

This is usually because you have entered an incorrect SAML SSO URL, please check it is correct. If you have checked and cannot find any issues please contact support and we will help you resolve the problem.

Was this article helpful?

1 out of 1 found this helpful

Comments (0 comments)

Article is closed for comments.