Integrating Ping Identity SAML with Edge Delta

Ping Identity SAML integration for the Edge Delta web application.

  5 minute read  

Overview

You can integrate Ping Identity SAML with Edge Delta. You create an application configuration in Ping Identity, add a group of users, and provide Edge Delta with the generated IDP Metadata URL. Edge Delta uses the URL to communicate with the identity provider.

Edge Delta supports both identity provider (IDP) and service provider (SP) initiated login workflows. The IDP workflow logs in a user from the IDP dashboard, whereas the SP workflow logs a user in from the Edge Delta login page.

1. Create an Application

  1. Log onto the Ping Identity dashboard with an administrator account.
  2. Click Connections - Applications.
  3. Click Applications +.
  4. For Application Name, enter Edge Delta.
  5. For Application Type, select SAML Application.
  6. Click Configure.
  7. Select Import From URL, enter https://api.edgedelta.com/saml/metadata, and click Import.
  • The ACL URLs and Entity ID fields will populate automatically.
  1. Click Save.
  2. Select the Configuration tab and click the pencil to edit.
  3. In the Subject NameID Format drop-down menu, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  4. Specify the target application URL as https://app.edgedelta.com/saml if the IDP initiated login flow is going to be used.
  5. Ensure that the field values are as follows, then click Save.
  • Import URL: https://api.edgedelta.com/saml/metadata
  • ACS URLS: https://api.edgedelta.com/saml/acs
  • ENTITY ID: https://api.edgedelta.com/saml/metadata
  • TARGET APPLICATION URL: https://app.edgedelta.com/saml
  1. Select the Attribute Mapping tab and click the pencil to edit.
  2. In the Attribute Mapping table, click + Add, and create the following entry:
  • Select the email Attribute.
  • Select Email Address for PingOne Mappings.
  • Select the Required checkbox.
  1. Optionally, add the groups Attribute and Group Names PingOne Mapping and make it required if group attributes are required in the assertion response.
  2. Click Save.

2. Create Users

Click Identities - Users and create any users that will need to access Edge Delta if they don’t already exist.

3. Create Groups

Configure attribute mapping if group attributes are required in the assertion response, for example, to enable JIT permissions provisioning:

  1. Select Groups and create an Edge Delta group.
  2. Add the required users to the Edge Delta group.
  3. Edit the group access policy and click + to enable access for the group to the Edge Delta application.

4. Enable the Application

  1. Click Connections - Applications.
  2. Enable the Edge Delta application with the sliding button.
  3. Select the Edge Delta application.
  4. Click the Configuration tab.
  5. Locate and copy the IDP Metadata URL. You will need this information in a later step. The metadata includes URLs of endpoints, supported bindings, identifiers and public keys

5. Sync the Ping Application with the Edge Delta App

  1. Log on to the Edge Delta App with an administrator account.
  2. Click Admin - My Organization.
  3. In the Organization section, click Edit.
  4. In the Approved Domains field, enter the domains of the email addresses authorized to join the organization. You specify a domain and press Enter before entering the next domain.
  5. Click Save.
  6. In the SAML Settings section, click Edit.
  7. If you are using a Service Provider Initiated login workflow, you must enter the domain of the email addresses of authorized users from step 4. You can enter a comma separated list of different domains.
  8. Select Metadata URL, and then paste the IDP Metadata URL you copied earlier.
  9. For Metadata URL Verification, select Enabled.
  10. Optionally, select Enforcement - Require Authentication Via SAML To Access This Organization. This disables the ability to log in to Edge Delta with a user name and password for normal users. They must use the IDP to log in. However, Edge Delta admin account holders can still log in with their username and password on the Edge Delta login page.
  11. Optionally, select JIT Provisioning - Enable JIT User Provisioning And Dynamic Group Membership For This Organization. Enter a Group Attribute Mapping Field and a Default Group. The field name is groups by default but it is configurable. It should match the SAML attribute name sent by IDP.
  12. Click Save.

Just in Time (JIT) provisioning determines the group configured for the user in the IDP based on the Group Attribute Mapping Field and it assigns users to an existing Edge Delta permissions group with the same name.

<saml:Attribute 
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
   Name="groups">
   <saml:AttributeValue
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">custom_admin
   </saml:AttributeValue>
   <saml:AttributeValue
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">custom_super_admin
   </saml:AttributeValue>
</saml:Attribute>

In this example of an IDP’s SAML group assertion, the groups values are custom_admin and super_custom_admin. The user will be added to an Edge Delta group called custom_admin if it exists in Edge Delta and it will also be added to the super_custom_admin group if it exists. When there is more than one group, the user will have the most permissive permissions of the groups they belong to.

If no IDP group is detected, or if the asserted group does not match an existing Edge Delta group, the user is added to the default group. When the user logs out, they are removed from the Edge Delta group.

Removing Admin Permissions

To remove regular permissions from a user when JIT is enabled, simply remove them from the permissions group in your IDP. However, to remove admin permissions from a user, you must remove them using the IDP and also remove them from the Admin group in Edge Delta. This helps prevent accidental account lockout. To remove an admin user:

  1. Remove admin permissions from the user in the IDP (if JIT is enabled.)
  2. In the Edge Delta app, click Admin - My Organization.
  3. Click Groups.
  4. Click the Actions column button in the Admin row and select Edit User Group.
  5. Click Group Members.
  6. Click the Delete button on the user you want to remove from the Admin group.