/
Setting up PingID (PingOne) SSO in Operations for the Client Portal

Setting up PingID (PingOne) SSO in Operations for the Client Portal

Setting up PingOne

If you already have created a SAML application specifically for this SSO, you can skip creating a new application and edit the application as needed starting at step 6.

  1. Log into your PingOne account and navigate to the Applications section. From the main menu select Applications > Applications.

  2. Click on the blue plus sign to create a new application.

    Applications
  3. Enter an Application Name, select SAML Application under Application Type, then click Configure.

    Add Application configuration
  4. For the SAML Configuration, select Manually Enter and enter the ACS URL and the Entity ID URL, then click Save.

  5. The SAML Application is now created and you should be able to edit the application. Make sure to turn the application on by clicking the toggle, then click Configuration.

  6. Click the blue pencil icon to edit.

  7. Scroll down to Target Application URL and enter https://nnnn0.cxtsoftware.net/Rapidship/#/sso-relay replacing the nnnn0 with the correct customer ID+0 then click Save.

  8. Click on Attribute Mapping and click the blue pencil icon to edit.

  9. Change the value in the PingOne Mappings column to “Email Address” and save.

  10. Click Configuration then Download Signing Certificate to download the .crt file used for setting up the Domain Profile in the Operations App. Then copy the Issuer ID and Initiate Single Sign-On URL to a notepad to have them accessible when configuring the Operations App.

Quick Tip: Note that the URLs and signing certificate will be needed when configuring the Operations App.

Setting up SSO in CXT Operations

  1. In the Operations App, navigate to Maintenance > Single Sign-On (SSO). If this is a new setup, there should be no domain profiles listed. Click on the small monitor icon to open the Central SSO Config.

  2. There are only two fields here that will have to be edited, enter the associated Certificate Password and upload a PFX Certificate by dragging and dropping or clicking on Browse for certificate. A PFX file can only be generated with a password and will require the password to save the configuration. If this is already filled out, then you do not need to change anything unless the customer has a new PFX file they want to use. Note that PFX files do expire and need replacing on occasion.

  3. Once the config is saved, click on the Create New button in the top right corner to add a new domain profile.

  4. In the Create SSO drawer:

    • SSO Provider Name - This must be a unique name.

    • SSO Domain - Enter the domain of the email address of the user that will be using the SSO. For example, if all the Client Portal users that will be using the SSO are on http://xdhosted.com (bob@xdhosted.com), you would enter http://xdhosted.com into this field. Do not add the ‘@’ symbol or any name that would come before it. Just the domain is needed here.

    • Entity ID URL - This is the Issuer ID displayed in PingOne. Enter that URL here.

    • SSO Login URL - This is the Initiate Single Sign-On URL displayed in PingOne. Enter that URL here.

    • Internet User Template – Select an internet user template that you want to designate as the template to set up newly created SSO users.

    • Certificate - Drag and drop or click Browse for a certificate to upload a CRT certificate downloaded from the PingOne site. See step 8 above. The name field will be filled in automatically with the file you selected. This certificate does not require a password as the PFX certificate does.

  5. Save the domain profile.

Tips

  • If the email address for a new SSO user is already associated with an existing internet user record, you will need to update the existing record with a different email or delete the record. For example, if Bob Smith already has an existing user account named bsmith and is using bob@domain.com as his email address, when he tries to log on using bob@domain.com, the SSO would not be able to create a new user since that email address is already used in the bsmith account.

  • There are now two different login prompts the user may see in the Client Portal.

    • When the SSO is properly configured, only a username field will be displayed.

      • If a valid SSO login email address is entered, the user will either be taken to validate the account at PingOne if needed or logged in directly to the Client Portal.

      • If a standard login username or an email address is not recognized by the SSO, the user will see a password box appear to log in.

    • When the SSO is not properly configured or not being used, the classic login prompt with both the username and password field are displayed. This is a good way to tell if the SSO is properly configured as you will only see the Username prompt if the domain profile is configured correctly. SSO does not apply to the Driver Portal.

Related Articles

Related pages