This document explains how to configure L2L to use Ping Identity's SAML authentication.
Step 1: Create the L2L SAML config
We first create a new SAML Config that defines the SAML Trust between Dispatch and the Okta application. Log in to [customer].leading2lean.com, and navigate to Setup -> IT Setup -> SAML SSO Config. Click the Add New link.
In the Add New SAML Config page, we will enter the following information:
- Code: this must be a unique code among all the Dispatch SAML Config’s and gets used in the Dispatch SAML URL’s. For this example, we will use the code acme-ping-sso.
- Display Name: This is user visible text on the Dispatch login page – we will use Dispatch ACME Ping SSO for this example
- IdP User Naming Attribute: You need to choose how users will log into Dispatch. Choosing email requires that the Dispatch user accounts have their email addresses set to the same email address set on users’ Ping accounts, and choosing username requires that the Dispatch username matches the Ping username.
- Leave all the other fields blank for now and click save. Now click on the new SAML Config that you just created. We'll use the SP Initiate, SP SSO URL, SP SLO URL, and SP Entity ID in the next step.
Step 2: Download the L2L SSL Certificate
- Go to https://[customer].leading2lean.com, and download the SSL certificate. This certificate is necessary for the logout functionality.
Step 3: Create the Ping Identity SAML config
- Create a new Application, and enter an Application Name, Application Description, and Category, then click Next.
- Set the Protocol Version to SAML v2.0
- Enter the following L2L URLs into the Ping Config:
L2L URL Ping Setting SP Initiate (not used) SP SSO URL ACS URL SP SLO URL Single Logout Response Endpoint SP Entity ID entityId - Set Single Logout Binding Type to "Redirect"
- Upload the L2L SSL certificate that you downloaded above.
- Note: L2L updates their SSL certificate on a yearly basis. You will need to update the SSL Certificate in the Ping config when L2L updates their certificate.
- Save the configuration
- Download the Signing Certificate. This will be used in the L2L config.
- Download the SAML Metadata. This will be used to fill in the L2L config.
Step 4: Update the L2L SAML Config
- Open the SAML Metadata file. This is an XML file that contains all of the data you'll need to enter into the IdP fields of the L2L config.
Ping SAML Metadata property L2L Setting <md:EntityDescriptor ... entityID="[IdP Entity Id]" ... >
(This can also be found in the Ping config screen under "Issuer")IdP Entity Id <md:SingleSignOnService Location="[IdP SSO URL]" ... > IdP SSO URL <md:SingleLogoutService Location="[IdP SLO URL]" ... > IdP SLO URL - Open the Signing Certificate file in a text editor. This file should start with "-----BEGIN CERTIFICATE-----". Copy the entire contents and paste it into the IdP Certificate Information setting in L2L.
Step 5: Test
- Go to https://[customer].leading2lean.com in a new browser session. Click on the SAML link below the login form that you created above.
- Log in using your SAML login info
- You should be logged in to Dispatch
- Log out from Dispatch
- You should be taken to your Identity login screen
Other settings
If you follow the above steps and your SAML doesn't work as expected, try updating the following settings:
- in the Ping Configuration, set the "Single Logout Endpoint" to the same value as you used for the IdP SLO URL in the L2L Config. This is found in the SAML Metadata file: <md:SingleLogoutService Location="[IdP SLO URL]" ... >
- Force IdP Authentication Each Login:
- Disabled: In some browsers, this will keep your SAML session active when you log out of L2L.
- Enabled: When you log out of L2L, it will also log you out of your SAML session. This is ideal when using a shared device.